,TITLE.25382 Page i Friday, February 15, 2002 2:57 PM Hardening Cisco Routers ,TITLE.25382 Page ii Friday, February 15, 2002 2:57 PM ,TITLE.25382 Page iii Friday, February 15, 2002 2:57 PM Hardening Cisco Routers Thomas Akin Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo ,COPYRIGHT.25258 Page iv Friday, February 15, 2002 2:57 PM Hardening Cisco Routers by Thomas Akin Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly & Associates, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly & Associates books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 [email protected]. Editor: Jim Sumser Production Editor: Ann Schirmer Cover Designer: Emma Colby Interior Designer: Melanie Wang Printing History: February 2002: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly & Associates, Inc. Many of the designations used by manufacturers and sellerstodistinguishtheirproductsareclaimedastrademarks.Wherethosedesignationsappear in this book, and O’Reilly & Associates, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. The association between the image of a North African wild ass and Cisco routers is a trademark of O’Reilly & Associates, Inc. Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthor assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. ISBN: 0-596-00166-5 [M] ,hciscoroutTOC.fm.24841 Page v Friday, February 15, 2002 2:55 PM Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. Router Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Router Security? 1 Routers: The Foundation of the Internet 2 What Can Go Wrong 2 What Routers Are at Risk? 4 Moving Forward 5 2. IOS Version Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 The Need for a Current IOS 6 Determining the IOS Version 6 IOS Versions and Vulnerabilities 7 IOS Security Checklist 10 3. Basic Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Authentication Versus Authorization 11 Points of Access 11 Basic Access Control 13 Remote Administration 19 Protection with IPSec 28 Basic Access Control Security Checklist 30 4. Passwords and Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Password Encryption 32 Clear-Text Passwords 33 service password-encryption 33 Enable Security 34 v ,hciscoroutTOC.fm.24841 Page vi Friday, February 15, 2002 2:55 PM Strong Passwords 35 Keeping Configuration Files Secure 36 Privilege Levels 38 Password Checklist 41 5. AAA Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Enabling AAA 43 Local Authentication 44 TACACS+ Authentication 44 RADIUS Authentication 47 Kerberos Authentication 50 Token-Based Access Control 51 AAA Security Checklist 51 6. Warning Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Legal Issues 52 Example Banner 54 Adding Login Banners 54 Warning Banner Checklist 57 7. Unnecessary Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ICMP 58 Source Routing 63 Small Services 64 Finger 64 HTTP 65 CDP 65 Proxy ARP 65 Miscellaneous 66 SNMP 67 Unnecessary Protocols and Services Checklist 67 8. SNMP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 SNMP Versions 69 Securing SNMP v1 and v2c 70 Securing SNMP v3 76 SNMP Management Servers 81 SNMP Security Checklist 81 vi | Table of Contents ,hciscoroutTOC.fm.24841 Page vii Friday, February 15, 2002 2:55 PM 9. Secure Routing and Antispoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Antispoofing 83 Routing Protocol Security 88 Routing Protocol and Antispoofing Checklist 94 10. NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 NTP Overview 96 Configuring NTP 97 NTP Checklist 106 11. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Logging in General 108 Router Logging 109 ACL Violation Logging 116 AAA Accounting 118 Logging Checklist 121 A. Checklist Quick Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 B. Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 C. Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 D. Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 E. Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Table of Contents | vii ,hciscoroutTOC.fm.24841 Page viii Friday, February 15, 2002 2:55 PM ,ch00.23088 Page ix Friday, February 15, 2002 2:52 PM Preface Master one single topic, and everything becomes clearer. Thefieldofnetworksecurityisahugesubject.Tobeanetworksecurityexpert,you must be an expert on routers, switches, hubs, firewalls, intrusion detection systems (IDS), servers, desktops, email, HTTP, instant messages, sniffers, and a thousand other topics. There are many books on network security, and the good ones tend to betomesof1000+pagesthatareintimidatingeventotheirauthors.Thisbooktakes theoppositeapproach.Ittakesasingle,butvitallyimportant,topicandexpandson it. Routers are your first line of defense. If they are compromised, everything else is compromised.Thisbookdescribeshowtosecureyourrouters.Onceyoulearnhow to secure them, routers can protect the rest of your network. To reemphasize,thisisnotabook onnetwork security;therearehundreds ofthose already in print. You will not find long discussions on firewalls, Virtual Private Net- works (VPNs), network IDS systems, or even access lists (ACLs). This book is more fundamentalthanthat.Thisbookshowshowtohardenthefoundationofyournet- work—the router. Once you have mastered the information in this book, you will find that your ability to build firewalls and configure IDS systems will increase. You will be building on a secure foundation. Organization Thisbookconsistsof11chaptersand5appendixes.Attheendofmostchaptersisa checklist summarizing the hardening techniques described in that chapter. AppendixA provides a complete hardening checklist made up of the chapter check- lists.Thebookisdesignedtobereadeitherstraightthroughforthosenewtorouter security, or a chapter at a time for those interested in specific topics. I recommend, however, that before reading the book, you review the checklist provided in AppendixA. This checklist will give you a good feel for the information covered in ix This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved. ,ch00.23088 Page x Friday, February 15, 2002 2:52 PM each chapter andfamiliarize youwith thescope ofthe book.Here isa briefdescrip- tion of what each chapter and appendix covers. Chapter1, Router Security, addresses the importance of router security and where routers fit into an overall information security plan. Additionally, this chapter dis- cusses which routers are the most important to secure and how secure routers are necessary (and often overlooked) parts of both firewall design and the overall infor- mation security strategy of a company. Chapter2, IOS Version Security, discusses security issues involving the router IOS software.ItoutlinescurrentIOSrevisions,showshowtodeterminecurrentIOSver- sions, and details the importance of running a current IOS. Chapter3,BasicAccessControl,discussesthestandardwaystoaccessaCiscorouter, the security implications of each of these methods, and how to secure basic Cisco router access. These methods include console, VTY, AUX, and HTTP access controls. Chapter4, Passwords and Privilege Levels, discusses the three ways that Cisco rout- ersstorepasswordsandthesecurityimplicationsofeachmethod.Thischaptercon- tinues to discuss the router’s default security levels and shows how to modify these levels to increase the security and accountability on your routers. Chapter5,AAAAccessControl,discusseshowtousetheadvancedAAAauthentica- tion and authorization configuration for Cisco routers. It also shows how to use a network access server running RADIUS or TACACS+ to control these services on the router. Chapter6,WarningBanners,discussestheimportanceofhavingwarningbannerson routers. This chapter not only talks about the need to have banners, but also pre- sents legal dos and don’ts for security banners. Finally, the chapter provides an example recommended banner to use on Cisco routers. Chapter7, Unnecessary Protocols and Services, discusses the unnecessary services that are commonly run on Cisco routers. Many of these services are enabled by default,andthischapterexplainswhyservicessuchasHTTP,finger,CDP,echo,and chargen are dangerous and details how to turn them off. Chapter8, SNMP Security, demonstrates how to disable SNMP or configure it securely.ItpresentsthedifferencesbetweenSNMPVersions1,2,and3;talksabout read-onlyversusread-writeaccess;andshowshowtouseaccessliststolimitSNMP access to only a few specific machines. Chapter9,SecureRoutingandAntispoofing,discussesroutingprotocolsecurity.Spe- cifically, it discusses how to add security to RIP, OSPF, EIGRP, and BGP. These routing protocols allow authentication to prevent fake routing updates. The chapter also presents the importance of antispoofing filters and how to perform ingress and egress filtering using CLs on older routers and Cisco’s RPF and CEF antispoofing mechanisms on newer ones. x | Preface This is the Title of the Book, eMatter Edition Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.