Table Of Content,TITLE.25382 Page i Friday, February 15, 2002 2:57 PM
Hardening Cisco Routers
,TITLE.25382 Page ii Friday, February 15, 2002 2:57 PM
,TITLE.25382 Page iii Friday, February 15, 2002 2:57 PM
Hardening Cisco Routers
Thomas Akin
Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo
,COPYRIGHT.25258 Page iv Friday, February 15, 2002 2:57 PM
Hardening Cisco Routers
by Thomas Akin
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Printed in the United States of America.
Published by O’Reilly & Associates, Inc., 1005 Gravenstein Highway North,
Sebastopol, CA 95472.
O’Reilly & Associates books may be purchased for educational, business, or sales promotional
use. Online editions are also available for most titles (safari.oreilly.com). For more information,
contact our corporate/institutional sales department: (800) 998-9938 orcorporate@oreilly.com.
Editor: Jim Sumser
Production Editor: Ann Schirmer
Cover Designer: Emma Colby
Interior Designer: Melanie Wang
Printing History:
February 2002: First Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered
trademarks of O’Reilly & Associates, Inc. Many of the designations used by manufacturers and
sellerstodistinguishtheirproductsareclaimedastrademarks.Wherethosedesignationsappear
in this book, and O’Reilly & Associates, Inc. was aware of a trademark claim, the designations
have been printed in caps or initial caps. The association between the image of a North African
wild ass and Cisco routers is a trademark of O’Reilly & Associates, Inc.
Whileeveryprecautionhasbeentakeninthepreparationofthisbook,thepublisherandauthor
assume no responsibility for errors or omissions, or for damages resulting from the use of the
information contained herein.
ISBN: 0-596-00166-5
[M]
,hciscoroutTOC.fm.24841 Page v Friday, February 15, 2002 2:55 PM
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
1. Router Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Router Security? 1
Routers: The Foundation of the Internet 2
What Can Go Wrong 2
What Routers Are at Risk? 4
Moving Forward 5
2. IOS Version Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The Need for a Current IOS 6
Determining the IOS Version 6
IOS Versions and Vulnerabilities 7
IOS Security Checklist 10
3. Basic Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authentication Versus Authorization 11
Points of Access 11
Basic Access Control 13
Remote Administration 19
Protection with IPSec 28
Basic Access Control Security Checklist 30
4. Passwords and Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Password Encryption 32
Clear-Text Passwords 33
service password-encryption 33
Enable Security 34
v
,hciscoroutTOC.fm.24841 Page vi Friday, February 15, 2002 2:55 PM
Strong Passwords 35
Keeping Configuration Files Secure 36
Privilege Levels 38
Password Checklist 41
5. AAA Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Enabling AAA 43
Local Authentication 44
TACACS+ Authentication 44
RADIUS Authentication 47
Kerberos Authentication 50
Token-Based Access Control 51
AAA Security Checklist 51
6. Warning Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Legal Issues 52
Example Banner 54
Adding Login Banners 54
Warning Banner Checklist 57
7. Unnecessary Protocols and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
ICMP 58
Source Routing 63
Small Services 64
Finger 64
HTTP 65
CDP 65
Proxy ARP 65
Miscellaneous 66
SNMP 67
Unnecessary Protocols and Services Checklist 67
8. SNMP Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
SNMP Versions 69
Securing SNMP v1 and v2c 70
Securing SNMP v3 76
SNMP Management Servers 81
SNMP Security Checklist 81
vi | Table of Contents
,hciscoroutTOC.fm.24841 Page vii Friday, February 15, 2002 2:55 PM
9. Secure Routing and Antispoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Antispoofing 83
Routing Protocol Security 88
Routing Protocol and Antispoofing Checklist 94
10. NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
NTP Overview 96
Configuring NTP 97
NTP Checklist 106
11. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Logging in General 108
Router Logging 109
ACL Violation Logging 116
AAA Accounting 118
Logging Checklist 121
A. Checklist Quick Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
B. Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
C. Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
D. Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
E. Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Table of Contents | vii
,hciscoroutTOC.fm.24841 Page viii Friday, February 15, 2002 2:55 PM
,ch00.23088 Page ix Friday, February 15, 2002 2:52 PM
Preface
Master one single topic, and everything becomes clearer.
Thefieldofnetworksecurityisahugesubject.Tobeanetworksecurityexpert,you
must be an expert on routers, switches, hubs, firewalls, intrusion detection systems
(IDS), servers, desktops, email, HTTP, instant messages, sniffers, and a thousand
other topics. There are many books on network security, and the good ones tend to
betomesof1000+pagesthatareintimidatingeventotheirauthors.Thisbooktakes
theoppositeapproach.Ittakesasingle,butvitallyimportant,topicandexpandson
it. Routers are your first line of defense. If they are compromised, everything else is
compromised.Thisbookdescribeshowtosecureyourrouters.Onceyoulearnhow
to secure them, routers can protect the rest of your network.
To reemphasize,thisisnotabook onnetwork security;therearehundreds ofthose
already in print. You will not find long discussions on firewalls, Virtual Private Net-
works (VPNs), network IDS systems, or even access lists (ACLs). This book is more
fundamentalthanthat.Thisbookshowshowtohardenthefoundationofyournet-
work—the router. Once you have mastered the information in this book, you will
find that your ability to build firewalls and configure IDS systems will increase. You
will be building on a secure foundation.
Organization
Thisbookconsistsof11chaptersand5appendixes.Attheendofmostchaptersisa
checklist summarizing the hardening techniques described in that chapter.
AppendixA provides a complete hardening checklist made up of the chapter check-
lists.Thebookisdesignedtobereadeitherstraightthroughforthosenewtorouter
security, or a chapter at a time for those interested in specific topics. I recommend,
however, that before reading the book, you review the checklist provided in
AppendixA. This checklist will give you a good feel for the information covered in
ix
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
,ch00.23088 Page x Friday, February 15, 2002 2:52 PM
each chapter andfamiliarize youwith thescope ofthe book.Here isa briefdescrip-
tion of what each chapter and appendix covers.
Chapter1, Router Security, addresses the importance of router security and where
routers fit into an overall information security plan. Additionally, this chapter dis-
cusses which routers are the most important to secure and how secure routers are
necessary (and often overlooked) parts of both firewall design and the overall infor-
mation security strategy of a company.
Chapter2, IOS Version Security, discusses security issues involving the router IOS
software.ItoutlinescurrentIOSrevisions,showshowtodeterminecurrentIOSver-
sions, and details the importance of running a current IOS.
Chapter3,BasicAccessControl,discussesthestandardwaystoaccessaCiscorouter,
the security implications of each of these methods, and how to secure basic Cisco
router access. These methods include console, VTY, AUX, and HTTP access controls.
Chapter4, Passwords and Privilege Levels, discusses the three ways that Cisco rout-
ersstorepasswordsandthesecurityimplicationsofeachmethod.Thischaptercon-
tinues to discuss the router’s default security levels and shows how to modify these
levels to increase the security and accountability on your routers.
Chapter5,AAAAccessControl,discusseshowtousetheadvancedAAAauthentica-
tion and authorization configuration for Cisco routers. It also shows how to use a
network access server running RADIUS or TACACS+ to control these services on
the router.
Chapter6,WarningBanners,discussestheimportanceofhavingwarningbannerson
routers. This chapter not only talks about the need to have banners, but also pre-
sents legal dos and don’ts for security banners. Finally, the chapter provides an
example recommended banner to use on Cisco routers.
Chapter7, Unnecessary Protocols and Services, discusses the unnecessary services
that are commonly run on Cisco routers. Many of these services are enabled by
default,andthischapterexplainswhyservicessuchasHTTP,finger,CDP,echo,and
chargen are dangerous and details how to turn them off.
Chapter8, SNMP Security, demonstrates how to disable SNMP or configure it
securely.ItpresentsthedifferencesbetweenSNMPVersions1,2,and3;talksabout
read-onlyversusread-writeaccess;andshowshowtouseaccessliststolimitSNMP
access to only a few specific machines.
Chapter9,SecureRoutingandAntispoofing,discussesroutingprotocolsecurity.Spe-
cifically, it discusses how to add security to RIP, OSPF, EIGRP, and BGP. These
routing protocols allow authentication to prevent fake routing updates. The chapter
also presents the importance of antispoofing filters and how to perform ingress and
egress filtering using CLs on older routers and Cisco’s RPF and CEF antispoofing
mechanisms on newer ones.
x | Preface
This is the Title of the Book, eMatter Edition
Copyright © 2002 O’Reilly & Associates, Inc. All rights reserved.
Description:As a network administrator, auditor or architect, you know the importance of securing your network and finding security solutions you can implement quickly. This succinct book departs from other security literature by focusing exclusively on ways to secure Cisco routers, rather than the entire netwo
