That's right, cisco has create a command that allows for even the novice engineer, to help secure a router. Execution of the command with a ? mark shows you these available options
First off the command makes the best guess, and uses best common practices for securing your IOS router. You should always review the changes and understand what's being configured imho.
It's not available for any IOS-XR or ASA devices. The cli auto secure command, is available for most newer routers running the latest serioous of IOS code . And for most IOS-based L3 switches.
Okay when you 1st execute the command you will get a cisco warning;
The command is systematic in it's process of securing of the access,snmp,ntp,interfaces etc.....
Here's a full complete setup of a a very basic auto secure session.
SOCASR1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router but it will not make router absolutely secure
from all security attacks ***
All the configuration done as part of AutoSecure will be
shown here. For more details of why and how this configuration
is useful, and any possible side effects, please refer to Cisco
documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
If this device is being managed by a network management station,
AutoSecure configuration may block network management traffic.
Continue with AutoSecure? [no]: yes
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:
Securing Management plane services..
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Is SNMP used to manage the router? [yes/no]: yes
SNMPv1 & SNMPv2c are unsecure, try to use SNMPv3
Configure NTP Authentication? [yes]: no
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
+
this is my router +
Enter the new enable password:
Confirm the enable password:
Configuring AAA local authentication
Configuring console, Aux and vty lines for
local authentication, exec-timeout, transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 10
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10
Configure SSH server? [yes]:
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services..
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: no
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C
this is my router ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 123E000317180D24282A3029
aaa new-model
aaa authentication login local_auth local
line console 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
login block-for 10 attempts 5 within 10
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
int GigabitEthernet0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
int GigabitEthernet0/0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
int GigabitEthernet0/0/2
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
int GigabitEthernet0/0/3
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
ip access-list extended 100
permit udp any any eq bootpc
!
end
Apply this configuration to running-config? [yes]:
So at it's conclusion, you now have the oppurtunity to apply the config to your cisco device. If you choose to answer with a "no", than no changes will take place.
Also cisco took the luxury to enforce acceptable password lengths & validation;
So you don't have to worry about your password being input wrongly.
Conclusion;
Auto secure provides a quick no brainer approach for deploying the basic security for a router that internet facing or non-internet facing. It strices to use cbac or tcp interception security features. It's available on most cisco devices.
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ^ ^ )=
o
/ \
I was just thinking of my career change as an iOS developer since I am passionate to create application. Your blog motivate me to start immediately. Thank you admin
ReplyDeleteRegards:
iOS Course Chennai
mobile application development training in chennai
I'm glad to hear of that.If you place some time and effort, you can be very good at it.
ReplyDelete