Presentation is loading. Please wait.

Presentation is loading. Please wait.

Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004.

Published byShannon Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004."— Presentation transcript:

1 Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004

2 Introduction Types of Routers Unnecessary Services Password Management Interactive Access IP Routing

3 Introduction Warning Banners SNMP Security Logging Requirements General Requirements Router Threat Management

4 Types of Routers Boundary or edge routers Interior routers Backbone routers Aggregate routers or hub routers

5 Types of Routers Interior routers provide connectivity within a routing domain.

6 Types of Routers Backbone routers provide connectivity between routing domains.

7 Types of Routers Aggregate routers and hub routers are used to combine a large number of connections into a fewer number of high bandwidth connections.

8 Types of Routers A boundary or edge router refers to a router that sits between one or more networks that are of different security domains. These routers require a higher level of security.

9 Unnecessary Services TCP & UDP Small Servers need to be disabled on the router.

10 Unnecessary Services These services can be disabled with the commands: no service tcp-small-servers no service udp-small-servers Note: Small services are disabled by default in Cisco IOS 12.0 and later software.

11 Unnecessary Services Boundary/edge routers should have Cisco Discovery Protocol (CDP) disabled.

12 Unnecessary Services The CDP protocol can be disabled with the global configuration command: no cdp running CDP can be disabled on a particular interface with: no cdp enable

13 Unnecessary Services HTTP access should disabled on the router, especially on a boundary/edge router.

14 Unnecessary Services Finger should be disabled on the router. The finger service can be disabled with the command: no service finger

15 Unnecessary Services The RSH and RCP services must be restricted by IP address. If the services are not needed, they must be disabled.

16 Unnecessary Services These services can be disabled with the commands: no ip rcmd rcp-enable no ip rcmd rsh-enable Note: These commands are disabled by default in Cisco IOS 12.0 and later.

17 Password Management The service password encryption command should be enabled to provide minimum protection for configured passwords.

18 Password Management As a global default, use the command: service password encryption Note: This command directs the IOS software to encrypt passwords, CHAP secrets, and similar data saved in its configuration file.

19 Password Management The enable secret command is used to set the password granting privileged administrative access to the IOS system.

20 Password Management All system installation, maintenance, and default passwords supplied by vendors must be changed. Passwords should follow the password complexity guidelines outlined in your company’s security policies.

21 Interactive Access tty console and auxiliary access should be controlled with both a user ID and password stored in a local file on the router. Note: All tty access should use either TACACS+ or a RADIUS server for authentication.

22 Interactive Access Reverse telnet sessions to console and auxiliary tty lines should be disabled. Disable reverse telnet sessions on tty lines by using the command: transport input none

23 Interactive Access vty access to the router should be controlled by both a user ID and password when logging into the router. Note: All vty access should use either a TACACS+ or a RADIUS server for authentication.

24 Interactive Access vty lines should be configured to accept connections only from those protocols actually needed.

25 Interactive Access Use the transport input command to restrict the protocols accepted by the vty lines.

26 Interactive Access Access to at least one vty line should be restricted to an IP or IP range to protect against Denial of Service Attacks. The ip access-class command can be used to restrict the IP addresses.

27 Interactive Access Timeouts should be configured on all vty lines, based on your company’s timeout policy. Use the exec-timeout command to configure timeouts on vty lines.

28 IP Routing Routers should have IP source routing disabled. Disable IP source routing as a global default with the no ip source-route command.

29 IP Routing All directed broadcasts should be disabled on all router interfaces.

30 IP Routing Use the no ip directed-broadcast command to prevent directed broadcasts that could “explode” into link-layer broadcasts. Note: directed broadcasts are disabled by default in Cisco IOS 12.0 and later.

31 IP Routing Boundary/edge routers, in particular, should filter ICMP redirects. Use access lists to block ICMP redirects. Note: All boundary routers should block ICMP redirects to prevent Denial of Service attacks.

32 IP Routing If the router is Internet facing or a boundary/edge router, apply anti- spoofing access lists on all inbound Internet/external facing interfaces.

33 IP Routing Note: Anti-spoofing access lists should block: Publicly owned internal address space All RFC1918 private addresses IP addresses with a source address of a router interface 127.0.0.0 (loopback)

34 Warning Banner Is the company’s warning banner displayed to anyone logging into the router? Note: Use the banner login command to configure the warning banner.

35 SNMP Security SNMP community strings should adhere to your company’s password complexity guidelines.

36 SNMP Security The read only community string should be different than the read/write community string. Note: If possible, periodic polling should be done on the read only community string.

37 SNMP Security The read/write community string should be reserved for write operations ONLY, while the read only community strings should be reserved for read access.

38 SNMP Security Access lists should be employed to restrict SNMP to the IP addresses of management stations only.

39 Logging Requirements System logging should be enabled and the information saved to both a local buffer and a syslog server.

40 Logging Requirements If using TACACS+ and/or RADIUS protocols, AAA logging should be enabled and saved to the RADIUS or TACACS+ Server.

41 Logging Requirements If router is using a real-time clock or is running NTP, all log entries should be time-stamped.

42 Logging Requirements To show time-stamps, use the command: service timestamps log datetime localtime show-timezone

43 Logging Requirements All logging information should be retained for a minimum of 90 days, or for the time specified in your company’s policy.

44 Logging Requirements System logs must be protected from unauthorized access, and frequently reviewed for unusual or suspicious events.

45 General Requirements Establish a procedure to load appropriate IOS security patches, keeping the IOS level current.

46 General Requirements Physical access to the router and its components must be strictly controlled.

47 General Requirements Back-up and contingency processes for each router need to be documented and in place.

48 General Requirements There should be a method to receive and distribute vendor and other security advisories to the appropriate people in your company

49 Router Threat Management Threat Warning – Inform technology SME’s of a newly identified threat. Threat Plan – Provide specific remediation information to SMEs. Alert – Send urgent threat information and remediation plans to all System Administrators.

50 Router Threat Management Critical T-0: Immediate risk. Patching must begin immediately. Critical T-7: Testing and installation of patches is expected on all impacted systems within 7 days. Important T-30: Patches expected to be tested and installed within 30 days. Informational: General awareness threat issue.

51 Router Threat Management Other methods to protect routers from outside attacks.

52 The End Questions?

Download ppt "Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004."

Similar presentations

Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Implementing a Highly Available Network

Implementing a Highly Available Network
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.

CCENT Review. Put the following descriptions in order from Layer 7 to Layer 1 and give the name of each layer.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Routers A router is a computer Computers have four basic components:

Routers A router is a computer Computers have four basic components:

Similar presentations

Ads by Google