Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004

Introduction Types of Routers Unnecessary Services Password Management Interactive Access IP Routing

Introduction Warning Banners SNMP Security Logging Requirements General Requirements Router Threat Management

Types of Routers Boundary or edge routers Interior routers Backbone routers Aggregate routers or hub routers

Types of Routers Interior routers provide connectivity within a routing domain.

Types of Routers Backbone routers provide connectivity between routing domains.

Types of Routers Aggregate routers and hub routers are used to combine a large number of connections into a fewer number of high bandwidth connections.

Types of Routers A boundary or edge router refers to a router that sits between one or more networks that are of different security domains. These routers require a higher level of security.

Unnecessary Services TCP & UDP Small Servers need to be disabled on the router.

Unnecessary Services These services can be disabled with the commands: no service tcp-small-servers no service udp-small-servers Note: Small services are disabled by default in Cisco IOS 12.0 and later software.

Unnecessary Services Boundary/edge routers should have Cisco Discovery Protocol (CDP) disabled.

Unnecessary Services The CDP protocol can be disabled with the global configuration command: no cdp running CDP can be disabled on a particular interface with: no cdp enable

Unnecessary Services HTTP access should disabled on the router, especially on a boundary/edge router.

Unnecessary Services Finger should be disabled on the router. The finger service can be disabled with the command: no service finger

Unnecessary Services The RSH and RCP services must be restricted by IP address. If the services are not needed, they must be disabled.

Unnecessary Services These services can be disabled with the commands: no ip rcmd rcp-enable no ip rcmd rsh-enable Note: These commands are disabled by default in Cisco IOS 12.0 and later.

Password Management The service password encryption command should be enabled to provide minimum protection for configured passwords.

Password Management As a global default, use the command: service password encryption Note: This command directs the IOS software to encrypt passwords, CHAP secrets, and similar data saved in its configuration file.

Password Management The enable secret command is used to set the password granting privileged administrative access to the IOS system.

Password Management All system installation, maintenance, and default passwords supplied by vendors must be changed. Passwords should follow the password complexity guidelines outlined in your company’s security policies.

Interactive Access tty console and auxiliary access should be controlled with both a user ID and password stored in a local file on the router. Note: All tty access should use either TACACS+ or a RADIUS server for authentication.

Interactive Access Reverse telnet sessions to console and auxiliary tty lines should be disabled. Disable reverse telnet sessions on tty lines by using the command: transport input none

Interactive Access vty access to the router should be controlled by both a user ID and password when logging into the router. Note: All vty access should use either a TACACS+ or a RADIUS server for authentication.

Interactive Access vty lines should be configured to accept connections only from those protocols actually needed.

Interactive Access Use the transport input command to restrict the protocols accepted by the vty lines.

Interactive Access Access to at least one vty line should be restricted to an IP or IP range to protect against Denial of Service Attacks. The ip access-class command can be used to restrict the IP addresses.

Interactive Access Timeouts should be configured on all vty lines, based on your company’s timeout policy. Use the exec-timeout command to configure timeouts on vty lines.

IP Routing Routers should have IP source routing disabled. Disable IP source routing as a global default with the no ip source-route command.

IP Routing All directed broadcasts should be disabled on all router interfaces.

IP Routing Use the no ip directed-broadcast command to prevent directed broadcasts that could “explode” into link-layer broadcasts. Note: directed broadcasts are disabled by default in Cisco IOS 12.0 and later.

IP Routing Boundary/edge routers, in particular, should filter ICMP redirects. Use access lists to block ICMP redirects. Note: All boundary routers should block ICMP redirects to prevent Denial of Service attacks.

IP Routing If the router is Internet facing or a boundary/edge router, apply anti- spoofing access lists on all inbound Internet/external facing interfaces.

IP Routing Note: Anti-spoofing access lists should block: Publicly owned internal address space All RFC1918 private addresses IP addresses with a source address of a router interface (loopback)

Warning Banner Is the company’s warning banner displayed to anyone logging into the router? Note: Use the banner login command to configure the warning banner.

SNMP Security SNMP community strings should adhere to your company’s password complexity guidelines.

SNMP Security The read only community string should be different than the read/write community string. Note: If possible, periodic polling should be done on the read only community string.

SNMP Security The read/write community string should be reserved for write operations ONLY, while the read only community strings should be reserved for read access.

SNMP Security Access lists should be employed to restrict SNMP to the IP addresses of management stations only.

Logging Requirements System logging should be enabled and the information saved to both a local buffer and a syslog server.

Logging Requirements If using TACACS+ and/or RADIUS protocols, AAA logging should be enabled and saved to the RADIUS or TACACS+ Server.

Logging Requirements If router is using a real-time clock or is running NTP, all log entries should be time-stamped.

Logging Requirements To show time-stamps, use the command: service timestamps log datetime localtime show-timezone

Logging Requirements All logging information should be retained for a minimum of 90 days, or for the time specified in your company’s policy.

Logging Requirements System logs must be protected from unauthorized access, and frequently reviewed for unusual or suspicious events.

General Requirements Establish a procedure to load appropriate IOS security patches, keeping the IOS level current.

General Requirements Physical access to the router and its components must be strictly controlled.

General Requirements Back-up and contingency processes for each router need to be documented and in place.

General Requirements There should be a method to receive and distribute vendor and other security advisories to the appropriate people in your company

Router Threat Management Threat Warning – Inform technology SME’s of a newly identified threat. Threat Plan – Provide specific remediation information to SMEs. Alert – Send urgent threat information and remediation plans to all System Administrators.

Router Threat Management Critical T-0: Immediate risk. Patching must begin immediately. Critical T-7: Testing and installation of patches is expected on all impacted systems within 7 days. Important T-30: Patches expected to be tested and installed within 30 days. Informational: General awareness threat issue.

Router Threat Management Other methods to protect routers from outside attacks.

The End Questions?