Cisco Router Security
Long time since I posted anything here …. but it’s just been those times been busy as a bee. So securing Cisco routers is a big deal especially since the routers (especially the edge routers) can be critical to any organizations infrastructure. I am not a Cisco guru but am only a student. However, I thought I should create a list that could help me perform security reviews of routers.
Security of routers is important as attackers could add static routes, advertise bad BGP neighbours on edge routers, create inbound tunnel into the intranets and such. Therefore, it’s imperative that adequate efforts be put in to secure Cisco routers.
I thought I’ll put in my first attempt at creating a small checklist:
- Use SSH for non-console access (“line vty” command should not have telnet in it)
- Use class 5 passwords, do *not* use class 7 passwords as they’re easily reversed (“enable secret”) alongwith the use of strong passez
- Limit virtual terminal access by using an ACL
access-list 100 permit 10.10.10.10 log
access-list 100 permit 10.10.10.11 log
access-list deny any log
line vty 0 4
access-class 100 in - Disable Proxy ARP on each interface (“no ip proxy arp”)
- Disable CDP as it can be used for information disclosures (“no cdp run”)
- Use AAA (TACACS+ or RADIUS) (“aaa new-model”, “aaa authentication”, etc.)
- Use “access-list ACL_NAME deny ip any any log” at the end of each ACL
- Disable http server (“no ip http server”)
- Keep the IOS versions updated
- Set centralized logging using a syslog (“logging internal_ip_address”)
- Configure NTP to keep the time synchronization (“ntp server 129.6.15.28”)
- Disable TCP and UDP small services e.g., echo, chargen, discard, etc. (“no service tcp-small-servers” and “no service udp-small-servers”)
- Put RFC 1918 (ingress filtering) protections using ACLs
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 deny ip 10.0.0.0 0.255.255.255 any log
access-list 100 deny ip 192.168.0.0 0.0.255.255 any log
access-list 100 deny ip 172.16.0.0 0.15.255.255 any log - Put some more filtering for common IPs
access-list 100 deny ip 169.254.0.0 0.0.255.255 any log - Use SNMPv3 with ACLs if you must (“snmp-server v3 auth priv”)
- Use SSHv2 (“ip ssh version 2”)
- Try to use EIGRP instead of RIP/OSPF (“ip authentication mode eigrp N md5”)
- Use MD5 authentication for RIP/OSPF if you must use these protocols (RIPv2/OSPF)
(“ip rip authentication mode md5”) - For edge routers using BGP authentication (if possible)
router bgp 10
neighbor 10.10.10.10 password Cr4zY$%^ - Configure BGP route flap dampening that prevents BGP oscillations (“bgp dampening”)
- Use warning banners that could be used for legal purposes for prosecuting hackers
That was really a nice list.