Transcript Router Hardening

Router Hardening
Nancy Grover, CISSP
ISC2/ISSA Security
Conference
November 2004
Introduction
•
•
•
•
•
Types of Routers
Unnecessary Services
Password Management
Interactive Access
IP Routing
Introduction
•
•
•
•
•
Warning Banners
SNMP Security
Logging Requirements
General Requirements
Router Threat Management
Types of Routers
•
•
•
•
Boundary or edge routers
Interior routers
Backbone routers
Aggregate routers or hub routers
Types of Routers
• Interior routers provide connectivity
within a routing domain.
Types of Routers
• Backbone routers provide connectivity
between routing domains.
Types of Routers
• Aggregate routers and hub routers are
used to combine a large number of
connections into a fewer number of
high bandwidth connections.
Types of Routers
• A boundary or edge router refers to a
router that sits between one or more
networks that are of different security
domains.
• These routers require a higher level
of security.
Unnecessary Services
• TCP & UDP Small Servers need to be
disabled on the router.
Unnecessary Services
• These services can be disabled with
the commands:
no service tcp-small-servers
no service udp-small-servers
• Note: Small services are disabled by
default in Cisco IOS 12.0 and later
software.
Unnecessary Services
• Boundary/edge routers should have
Cisco Discovery Protocol (CDP)
disabled.
Unnecessary Services
• The CDP protocol can be disabled with
the global configuration command:
no cdp running
• CDP can be disabled on a particular
interface with:
no cdp enable
Unnecessary Services
• HTTP access should disabled on the
router, especially on a boundary/edge
router.
Unnecessary Services
• Finger should be disabled on the router.
• The finger service can be disabled with
the command:
no service finger
Unnecessary Services
• The RSH and RCP services must be
restricted by IP address.
• If the services are not needed, they
must be disabled.
Unnecessary Services
• These services can be disabled with
the commands:
no ip rcmd rcp-enable
no ip rcmd rsh-enable
• Note: These commands are disabled by
default in Cisco IOS 12.0 and later.
Password Management
• The service password encryption
command should be enabled to provide
minimum protection for configured
passwords.
Password Management
• As a global default, use the command:
service password encryption
• Note: This command directs the IOS
software to encrypt passwords, CHAP
secrets, and similar data saved in its
configuration file.
Password Management
• The enable secret command is used to
set the password granting privileged
administrative access to the IOS
system.
Password Management
• All system installation, maintenance,
and default passwords supplied by
vendors must be changed.
• Passwords should follow the password
complexity guidelines outlined in your
company’s security policies.
Interactive Access
• tty console and auxiliary access should
be controlled with both a user ID and
password stored in a local file on the
router.
• Note: All tty access should use either
TACACS+ or a RADIUS server for
authentication.
Interactive Access
• Reverse telnet sessions to console and
auxiliary tty lines should be disabled.
• Disable reverse telnet sessions on tty
lines by using the command:
transport input none
Interactive Access
• vty access to the router should be
controlled by both a user ID and
password when logging into the router.
• Note: All vty access should use either a
TACACS+ or a RADIUS server for
authentication.
Interactive Access
• vty lines should be configured to accept
connections only from those protocols
actually needed.
Interactive Access
• Use the transport input command to
restrict the protocols accepted by the
vty lines.
Interactive Access
• Access to at least one vty line should
be restricted to an IP or IP range to
protect against Denial of Service
Attacks.
• The ip access-class command can be
used to restrict the IP addresses.
Interactive Access
• Timeouts should be configured on all
vty lines, based on your company’s
timeout policy.
• Use the exec-timeout command to
configure timeouts on vty lines.
IP Routing
• Routers should have IP source routing
disabled.
• Disable IP source routing as a global
default with the no ip source-route
command.
IP Routing
• All directed broadcasts should be
disabled on all router interfaces.
IP Routing
• Use the no ip directed-broadcast
command to prevent directed
broadcasts that could “explode” into
link-layer broadcasts.
• Note: directed broadcasts are disabled by
default in Cisco IOS 12.0 and later.
IP Routing
• Boundary/edge routers, in particular,
should filter ICMP redirects.
• Use access lists to block ICMP
redirects.
• Note: All boundary routers should block
ICMP redirects to prevent Denial of Service
attacks.
IP Routing
• If the router is Internet facing or a
boundary/edge router, apply antispoofing access lists on all inbound
Internet/external facing interfaces.
IP Routing
• Note: Anti-spoofing access lists should
block:
• Publicly owned internal address space
• All RFC1918 private addresses
• IP addresses with a source address of a
router interface
• 127.0.0.0 (loopback)
Warning Banner
• Is the company’s warning banner
displayed to anyone logging into the
router?
• Note: Use the banner login command to
configure the warning banner.
SNMP Security
• SNMP community strings should
adhere to your company’s password
complexity guidelines.
SNMP Security
• The read only community string should
be different than the read/write
community string.
• Note: If possible, periodic polling should be
done on the read only community string.
SNMP Security
• The read/write community string should
be reserved for write operations ONLY,
while the read only community strings
should be reserved for read access.
SNMP Security
• Access lists should be employed to
restrict SNMP to the IP addresses of
management stations only.
Logging Requirements
• System logging should be enabled and
the information saved to both a local
buffer and a syslog server.
Logging Requirements
• If using TACACS+ and/or RADIUS
protocols, AAA logging should be
enabled and saved to the RADIUS or
TACACS+ Server.
Logging Requirements
• If router is using a real-time clock or is
running NTP, all log entries should be
time-stamped.
Logging Requirements
• To show time-stamps, use the
command:
service timestamps log datetime
localtime show-timezone
Logging Requirements
• All logging information should be
retained for a minimum of 90 days, or
for the time specified in your company’s
policy.
Logging Requirements
• System logs must be protected from
unauthorized access, and frequently
reviewed for unusual or suspicious
events.
General Requirements
• Establish a procedure to load
appropriate IOS security patches,
keeping the IOS level current.
General Requirements
• Physical access to the router and its
components must be strictly controlled.
General Requirements
• Back-up and contingency processes for
each router need to be documented
and in place.
General Requirements
• There should be a method to receive
and distribute vendor and other security
advisories to the appropriate people in
your company
Router Threat Management
• Threat Warning – Inform technology
SME’s of a newly identified threat.
• Threat Plan – Provide specific
remediation information to SMEs.
• Alert – Send urgent threat information
and remediation plans to all System
Administrators.
Router Threat Management
• Critical T-0: Immediate risk. Patching
must begin immediately.
• Critical T-7: Testing and installation of
patches is expected on all impacted
systems within 7 days.
• Important T-30: Patches expected to
be tested and installed within 30 days.
• Informational: General awareness
threat issue.
Router Threat Management
• Other methods to protect routers from
outside attacks.
The End
Questions?