SlideShare a Scribd company logo

8 steps to protect your cisco router

Download as DOCX, PDF
IT Tech
IT Tech

The document provides 8 steps to secure a Cisco router by restricting access, disabling unused services, encrypting passwords, and logging activities. These simple steps include controlling access to ports, restricting telnet access, blocking spoof packets, restricting SNMP, encrypting passwords, disabling services like HTTP, adding security options, and configuring logging to a remote server. Proper configuration following these steps can significantly increase router security based on nmap scans showing all ports filtered after securing the device.

Related slideshows

Vyos clustering ipsec
Vyos clustering ipsecVyos clustering ipsec
Vyos clustering ipsec
 
Sahara RDO part1
Sahara RDO part1Sahara RDO part1
Sahara RDO part1
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
 
1 of 8
Protect Your Cisco Router by Simple Steps Network security is a completely changing area; new devices like IDS (Intrusion Detection systems), IPS (Intrusion Prevention systems), and Honeypots are modifying the way people think about security. Companies are spending thousands of dollars on new security devices, but forgetting the basic, the first line of defense: the border router. Although a lot of people may think that routers don’t need to be protected, they are completely wrong. A lot of secure problems appear all time against this kind of device and most of them are vulnerable.Some information about some common security problems found on Cisco Routers can be read on the text “Exploiting Cisco Routers”, available at: http://www.securityfocus.com/infocus/1734 In this article I will give you/There are 8 steps, easy to follow, to minimize your Cisco router exposure by turning off some unused services, applying some access control and applying some security options available on that. Content List 1- Control Access to your router; 2- Restrict telnet access to it;
3- Block Spoof/Malicious packets; 4- Restrict SNMP; 5- Encrypt all passwords; 6- Disable all unused services; 7- Add some security options; 8- Log everything; 1- Control Access to your router The first thing to do is apply some rules to restrict all external access to some ports of the router. You can block all ports, but it is not always necessary. These commands bellow will protect your router against some reconnaissance attacks and, obviously, will restrict access to these ports: access-list 110 deny tcp any host $yourRouterIPeq 7 access-list 110 deny tcp any host $yourRouterIPeq 9 access-list 110 deny tcp any host $yourRouterIPeq 13 access-list 110 deny tcp any host $yourRouterIPeq 19 access-list 110 deny tcp any host $yourRouterIPeq 23 access-list 110 deny tcp any host $yourRouterIPeq 79 int x0/0 access-group in 110 Where $your router IP is your router IP and x0/0 is your external interface.
We will always use this convention in this article. 2- Restrict telnet access to it Telnet is not a very safe protocol to use, but if you really need to use it (you should always use ssh) you might want to restrict all access to it (remember that all your traffic will be unencrypted). The best way to accomplish that is using a standard access-list and the access-class command. access-list 50 permit 192.168.1.1 access-list 50 deny any log linevty 0 4 access-class 50 in exec-timeout 5 0 Where 192.168.1.1 is the IP address allowed to telnet the router 3- Block Spoof/Malicious packets You must never allow loopback/reserved IP address from the Internet reach your external interface and you can reject broadcast and multicast addresses too. access-list 111 deny ip 127.0.0.0 0.255.255.255 any access-list 111 deny ip 192.168.0.0 0.0.0.255 any access-list 111 deny ip 172.16.0.0 0.0.255.255 a
access-list 111 deny ip 10.0.0.0 0.255.255.255 a access-list 111 deny ip host 0.0.0.0 any access-list 111 deny ip 224.0.0.0 31.255.255.255 access-list 111 deny icmp any any redirect int x0/0 access-group in 111 4- Restrict SNMP SNMP must always be restrict, unless you want some malicious person getting a lot of information from your network ☺ access-list 112 deny udp any anyeqsnmp access-list 112 permit ip any any interface x0/0 access-group 112 in And if you are not going to use SNMP at all, disable it: nosnmp-server 5- Encrypt all passwords A very important thing to do is protect all your passwords using the powerful algorithm as possible. The password from exec mode, that grants privileged access to the IOS system, can be set using a MD5 hash, which is the strongest option available on the Cisco IOS.
Enable secret $yourpassword All other passwords, you can encrypt using the Vigenere cipher that is not very strong, but can help. To do that, you can use the service password-encryption command that encrypts all passwords present in you system. Service password-encryption 6- Disable all unused services 6.1 - Disable Echo, Chargen and discard no service tcp-small-servers no service udp-small-servers 6.2 - Disable finger no service finger 6.3 - Disable the httpd interface noip http server 6.4 - Disable ntp (if you are not using it) ntp disable
7- Add some security options 7.1 - Disable source routing noip source-route 7.2 - Disable Proxy Arp noip proxy-arp 7.3 - Disable ICMP redirects interface s0/0 (your external interface) noip redirects 7.4 - Disable Multicast route Caching interface s0/0 (your external interface) noipmroute-cache 7.5 - Disable CDP nocdp run 7.6 - Disable direct broadcast (protect against Smurf attacks) noip directed-broadcast
8- Log everything To finish, you must log everything on an outside Log Server. You must everything from all your systems and always analyze the logs. logging trap debugging logging 192.168.1.10 where 192.168.1.10 is the ip of your log server (configured as a Syslog server) Conclusion With these simple steps you can add a lot of security to your router, protecting it against a lot of possible attacks, increasing your network security. Only as an example, you can see the nmap result before and after applying these options: Before: Bash-2.05b# nmap -O 192.168.1.1 Starting nmap V. 3.00 (www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): Port State Service 7/tcp open echo 9/tcp open discard
13/tcp open daytime 19/tcp open chargen 23/tcp open telnet 79/tcp open finger 80/tcp open http Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3 - 12.0(11) After: Bash-2.05b# nmap -P0 -O 192.168.1.1 Starting nmap V. 3.00 (www.insecure.org/nmap/) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1601 scanned ports on (192.168.1.1) are: filtered Too many fingerprints match this host for me to give an accurate OS guess Nmap run completed -- 1 IP address (1 host up) scanned in 403 seconds MORE NOTES: Opening Ports on a Cisco Router to Allow Exchange Server to Work More Cisco news and info of Cisco network hardware you can visit: http://blog.router-switch.com/

More Related Content

8 steps to protect your cisco router

  • 1. Protect Your Cisco Router by Simple Steps Network security is a completely changing area; new devices like IDS (Intrusion Detection systems), IPS (Intrusion Prevention systems), and Honeypots are modifying the way people think about security. Companies are spending thousands of dollars on new security devices, but forgetting the basic, the first line of defense: the border router. Although a lot of people may think that routers don’t need to be protected, they are completely wrong. A lot of secure problems appear all time against this kind of device and most of them are vulnerable.Some information about some common security problems found on Cisco Routers can be read on the text “Exploiting Cisco Routers”, available at: http://www.securityfocus.com/infocus/1734 In this article I will give you/There are 8 steps, easy to follow, to minimize your Cisco router exposure by turning off some unused services, applying some access control and applying some security options available on that. Content List 1- Control Access to your router; 2- Restrict telnet access to it;
  • 2. 3- Block Spoof/Malicious packets; 4- Restrict SNMP; 5- Encrypt all passwords; 6- Disable all unused services; 7- Add some security options; 8- Log everything; 1- Control Access to your router The first thing to do is apply some rules to restrict all external access to some ports of the router. You can block all ports, but it is not always necessary. These commands bellow will protect your router against some reconnaissance attacks and, obviously, will restrict access to these ports: access-list 110 deny tcp any host $yourRouterIPeq 7 access-list 110 deny tcp any host $yourRouterIPeq 9 access-list 110 deny tcp any host $yourRouterIPeq 13 access-list 110 deny tcp any host $yourRouterIPeq 19 access-list 110 deny tcp any host $yourRouterIPeq 23 access-list 110 deny tcp any host $yourRouterIPeq 79 int x0/0 access-group in 110 Where $your router IP is your router IP and x0/0 is your external interface.
  • 3. We will always use this convention in this article. 2- Restrict telnet access to it Telnet is not a very safe protocol to use, but if you really need to use it (you should always use ssh) you might want to restrict all access to it (remember that all your traffic will be unencrypted). The best way to accomplish that is using a standard access-list and the access-class command. access-list 50 permit 192.168.1.1 access-list 50 deny any log linevty 0 4 access-class 50 in exec-timeout 5 0 Where 192.168.1.1 is the IP address allowed to telnet the router 3- Block Spoof/Malicious packets You must never allow loopback/reserved IP address from the Internet reach your external interface and you can reject broadcast and multicast addresses too. access-list 111 deny ip 127.0.0.0 0.255.255.255 any access-list 111 deny ip 192.168.0.0 0.0.0.255 any access-list 111 deny ip 172.16.0.0 0.0.255.255 a
  • 4. access-list 111 deny ip 10.0.0.0 0.255.255.255 a access-list 111 deny ip host 0.0.0.0 any access-list 111 deny ip 224.0.0.0 31.255.255.255 access-list 111 deny icmp any any redirect int x0/0 access-group in 111 4- Restrict SNMP SNMP must always be restrict, unless you want some malicious person getting a lot of information from your network ☺ access-list 112 deny udp any anyeqsnmp access-list 112 permit ip any any interface x0/0 access-group 112 in And if you are not going to use SNMP at all, disable it: nosnmp-server 5- Encrypt all passwords A very important thing to do is protect all your passwords using the powerful algorithm as possible. The password from exec mode, that grants privileged access to the IOS system, can be set using a MD5 hash, which is the strongest option available on the Cisco IOS.
  • 5. Enable secret $yourpassword All other passwords, you can encrypt using the Vigenere cipher that is not very strong, but can help. To do that, you can use the service password-encryption command that encrypts all passwords present in you system. Service password-encryption 6- Disable all unused services 6.1 - Disable Echo, Chargen and discard no service tcp-small-servers no service udp-small-servers 6.2 - Disable finger no service finger 6.3 - Disable the httpd interface noip http server 6.4 - Disable ntp (if you are not using it) ntp disable
  • 6. 7- Add some security options 7.1 - Disable source routing noip source-route 7.2 - Disable Proxy Arp noip proxy-arp 7.3 - Disable ICMP redirects interface s0/0 (your external interface) noip redirects 7.4 - Disable Multicast route Caching interface s0/0 (your external interface) noipmroute-cache 7.5 - Disable CDP nocdp run 7.6 - Disable direct broadcast (protect against Smurf attacks) noip directed-broadcast
  • 7. 8- Log everything To finish, you must log everything on an outside Log Server. You must everything from all your systems and always analyze the logs. logging trap debugging logging 192.168.1.10 where 192.168.1.10 is the ip of your log server (configured as a Syslog server) Conclusion With these simple steps you can add a lot of security to your router, protecting it against a lot of possible attacks, increasing your network security. Only as an example, you can see the nmap result before and after applying these options: Before: Bash-2.05b# nmap -O 192.168.1.1 Starting nmap V. 3.00 (www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): Port State Service 7/tcp open echo 9/tcp open discard
  • 8. 13/tcp open daytime 19/tcp open chargen 23/tcp open telnet 79/tcp open finger 80/tcp open http Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3 - 12.0(11) After: Bash-2.05b# nmap -P0 -O 192.168.1.1 Starting nmap V. 3.00 (www.insecure.org/nmap/) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1601 scanned ports on (192.168.1.1) are: filtered Too many fingerprints match this host for me to give an accurate OS guess Nmap run completed -- 1 IP address (1 host up) scanned in 403 seconds MORE NOTES: Opening Ports on a Cisco Router to Allow Exchange Server to Work More Cisco news and info of Cisco network hardware you can visit: http://blog.router-switch.com/