Basic and Advanced Router Security Configuration

From ITCwiki

Configuring a Cisco Router

• A Router defines a network. From its security, to making computers more scalable and easy to configure, to breaking apart broadcast domains and verifying information reaches its intended purpose, routers are essential to the security line of work and the process of securing our information. As an integral part, a router requires its own standard protection which can be configured via the console port. Router policies that are the simplest are the most often overlooked, and require careful implementation.

Cisco.jpg

Basic Router Security Configuration

  • 90% of all interactions users make with the router are through the virtual terminal server, or command line. Therefore, in order to prevent users from accessing data inside and outside the network, a network administrator needs to be proficient in using the command line to patch security flaws and implement countermeasures. There are several basic command line tools users can run that can secure the router, and by extension the entire network.

Prevent access from inside the network

  • Although many attacks come from outside the network, there are some issues with internal threats; as simple as users acting without administrative privileges to an experienced hacker who attempts to retrieve data from a subnet. In this section, we will observe basic command line operations for password control, vty/tty access, and encrypting the saved configuration on the router to prevent back doors. Sometimes the most simple of features to run are the most integral, and it is very important to have an understanding of them.

Password Control

  • The enable secret command is used in order to set the password that grants administrative access to the Cisco router. The enable secret increases the security of the enable password command. If no enable secret is set and a password is configured from the Telnet line, the console password can be used to receive privileged access, even from a remote tty/vty session; causing potential damage to the network.
  • The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge Handshake Authentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casual observers from reading passwords, such as when they shoulder-surf over an administrator.
  • The login Password Retry Lockout commands allows an administrator to “lock out” a local user account after a configured number of unsuccessful login attempts. By using the aaa access control model (Authentication, Authorization, and accounting) the router can refuse non-administrative users and disrupting brute force attacks. Once a user is locked out, their account is locked until the administrator unlocks it. An authorized user who is configured with privilege level 15 must be kept to a minimum. Note that authorized user can lock themselves out of the router if the number of unsuccessful login attempts is reached.

The Four Basics

There are four steps everyone should know when configuring a router, and all configurations in the future will build on them some way or another.

  • Set a console password
    • The most basic form of security which prevents users from accessing the router when it is activated. They are operated by entering (config)# enable password, followed by your chosen password.

Configure console password.png

  • Encrypt passwords in your running configuration
    • Console passwords are written in cleartext by default. They can be encrypted by inputting (config)# enable password-encryption.

Enable password encryption.png

  • Limit user capabilities with privilege level commands
    • Enable global configuration mode passwords to prevent users from editing more than their level of authorization. Configured by entering (config)#, enable secret, followed by your chosen password.

Enable secret.png

  • Set Telnet and Console passwords
    • Encrypt the lines that allows users over a network to interface with the router. Performed by entering (config)# line console 0 for console, line vty for Telnet; enter and inputting login, enter, password, followed by your desired password.

Vty connection password.png

Configure console password.png

Password Retry Logout

Besides the basic commands for router security, even the least sophisticated hackers can permeate the network using techniques such as DOS and brute force. In order to prevent these new attacks, we need more complex techniques to build on top of the security we already have. Configure Password Retry Logout: Causes a user to become “locked out” after a predefined number of failed login attempts. It is activated by enabling the aaa access control model on the router, specifying the number of failed login attempts, and setting the type of authentication method.

  • (config)# [username] [privilege level] password encryption-type password
  • (config)# aaa new-model
  • (config)# aaa local authentication attempts max-fail [number of attempts allowed]
  • (config)# aaa authentication login default [method, eg. Local]

Advanced Router Security Configuration

Cisco offers many additional ways to secure our routers further by hardening passwords and creating methods to prevent brute force attacks. Here, we will look at additional commands that you may want to implement on your devices to secure them further.

Prevent Access from the Internet

A phenomenal amount of damage to routers and host computers alike comes from the internet. Firewalls, servers, and other methods of defense can prevent attacks and intrusion into the network, but the router itself has built-in abilities that allow it to protect itself from attacks fighting to get access. In this section, we will go over Advanced Security Commands, a plethora of configuration options that allow administrators to change password settings, block access from certain users, and deflect many different types of router manipulation. We will be able to secure ports and applications, disable unused services (router hardening), and block interfaces. Advanced security is advanced; a battle to stay one step ahead of anyone trying to permeate the router and the protection of your network.

===Advanced security commands===

  • Block Denied Logins- Useful for delaying denied logins when someone is trying to brute force the router. (config)# login bock-for [seconds] attempts [attempts] within [seconds]

Login block small.png

  • Login Delay – Adds a delay at the point of a login being unsuccessful

(config)# login delay [seconds]

Login delay small.png

  • Login Logging – Generates a log after a certain amount of failed or successful attempts.

(config)# login on-failure log [#]

Success login small.png Fail login small.png

  • Min Password length – Ensures that any new password created on the router meets a minimum password length.

(config)# security password min-length [number of characters]

Fail login small.png

  • Set Timeout – Sets a time out period for the connection line (con / vty).

(config-line)# exec-timeout [min/hour]

Securing ports and applications

  • Some beneficial services are not enabled by default that can be turned on. These differ from enable and encryption commands as they are actions the router actively takes part in and incorporates in everyday activities.
    • Service tcp-keepalives-in/out: Prevents VTY and Line messages from being sent indefinitely. This command orders the router sends and recieve TCP keepalive messages. When a set amount of time has passed, the TCP protocol sends and empty TCP segment with only the ACK flag turned on. If the initiator sends a reply ACK, the connection resumes; but if not the router assumes the connection has died.
      • Service TCP-keepalives-in: generates keepalive packets on incoming network connections (initiated by remote hosts).
::*(config)# service tcp-keepalives-in
::*(config)# end
  • Service tcp-keepalives-out: Generates keepalive packets on outgoing network commands(initiated by user).
::*(config)# service tcp-keepalives-out
::*(config)# end
  • Service Timestamp Logging: An application on the router that records debugging or system log events forwarded through the router. [debug]indicates timestamp is applied to debugging, [log]indicates system loggingg messages, [uptime] indicates the time the system was rebooted (listed in HHHH:MM:SS), [datetime] indicates the current time. and [year] indicates the year of the date.
::*Service timestamps [debug | log] [ uptime | datetime  [year]
  • Service Timestamp standard logging: A more simple version that only records events occuring on the system log.
Service timestamps [log] [datetime] [msec] [show-timezone] [localtime]

Disabling unused services/Router Hardening

There are many services that are enabled by default on Cisco Routers. Each can provide information an attacker can use. Routers are social butterflies by nature; they connect and exchange information with other routers that can be tampered with and modified by external sources, leaving the system vulnerable for attack. Occasional services can be removed in order to prevent potential breach, but it can interfere with these actions if they are needed later. Note: In order to make these changes permenant, run “copy running-config startup-config” at any time to save changes to the NVRAM.

  • (config)# no service tcp-small-servers Disables unnecessary services such as echo, discard, and chargen. Disabled by default
  • (config)# No service udp-small-servers Disables minor User Datagram Protocol services. Disabled by default.
  • (config)# No service dhcp Disables DHCP servers, which are enabled by default. Almost never necessary. DHCP can also run Bootp requests.
  • (config)# No ip finger Disables Finger Service, which can provide extensive user information. (eg, who is logged on to each system)
  • (config)# No service config Disables Service config, which which is enabled by defult and attempts to access server configuration files from a network Trivial File Transfer Protocol (TFTP) server
  • (config)# No snmp-server Disables Simple Network Management Protocol agent operation information upadates. Disabled by default.
  • (config)# No ip bootp server Disables the Bootstrap service on the router. Obtains the network location of the boot image an IP address. Enabled by default.
  • (config)# No ip http server Disables the Cisco Web browser interface, which allows configuration and monitoring of the router using any web server. Enabled by default
  • (config)# No ip http secure-server Disables Hyper Transfer Protocol Secure. Enabled by default
  • (config)# No ip gratuitous-arps Disables the transmission of gratuitous-arps command in global configuration mode. Enabled by default
  • (config)# No ip source-route Instructs the router to discard IP datagrams containing a source-rout option. Enabled by default
  • (config)# No ip directed-broadcast Disables IP broadcast to a specific subnet, which can leave the system vulnerable for smurf attacks. It is disabled by default.
  • (config)# No ip unreachables Prevents the Cisco router from sending UDP packets searching for ‘port unreachable’ messages. Disabling causes traceroute to ‘break’, as it cannot comprehend routes ending in unreachable. Enabled by default
  • (config)# No cdp run Disables Cisco Discovery Protocol capability, which sends out multicast updates to neighbors. Enabled by default
  • (config)# ip options drop Drops or ignores IP option packets that are sent to the router. Enabled by default

Commands for Individual Interfaces

  • No ip directed-broadcast
  • No ip unreachables
  • No ip redirects Disables ICMP, which sends redirected messages to clients. Prevents traffic redirection. Enabled by default.
  • No ip mask-reply Disables router responses to Internet Control Message Protocol (ICMP) mask requests. Enabled by default.
  • No ip proxy-arp Disables Proxy ARP, which helps machines reach remote subnets, but is vulnerable to intercepted packets or “Spoofing”. Enabled by default

Disable interfaces

Along with having services and abilities at its disposal that hackers can manipulate, physical hardware and the ports to the router themselves can also be attacked. Therefore, it is important to know how to be able to modify security on interfaces. The first form of security on an interface is to disable it. There’s no door safer than a wall, so by completely blocking off a port, users from footprinting the network or using port-spying techniques to break into the router. To disable a port, enter the command prompt with global configuration mode, select the interface you want to close, and shut it down.

  • Router> enable
  • Router# config terminal
  • Router(config)# int '[interface name, eg.' fa0/1]
  • Router(config-if)# shutdown