Device hardening is one of the fundamental security modules that should be put into practice to protect the device from unauthorized users and activity. An intruder gaining unauthorized access to a device relinquishes complete access to the networks, and all other security measures taken become redundant.
This chapter describes several security features that are applicable in Cisco IOS Software. Some of these features may also be applicable to other Cisco platforms such as Firewall and IDS. The later section of this chapter describes specific features available on these non-IOS Cisco devices.
The facility (physical location) where devices are housed is in most cases the first and last barrier encountered by an intruder. Physical security prevents intruders from gaining physical access to the devices, and this means hands-on contact. Physical security is more critical than network security but is often overlooked by network administrators. Despite all the high-level safeguard measures, a compromise in physical access will almost always result in a complete compromise. Having a secured physical facility that is accessible only to authorized personnel is extremely important.
Identification is mainly based on a combination of the username and the password. A password is a protected string of characters that is used to authenticate a user. There are three types of password protection schemes in Cisco IOS.
Clear-text passwords: These are the most insecure because they have no encryption. Passwords are viewable in the device configuration in clear text.
Type 7 passwords: These use the Cisco proprietary encryption algorithm and are known to be weak. Several password utilities are available to decipher Type 7 encrypted passwords. Type 7 encryption is used by the enable password, username, and line password commands.
Type 5 passwords: These use MD5 hashing algorithm (one-way hash) and are therefore much stronger because they are considered irreversible. The only way to crack the Type 5 password is by using brute force or dictionary attacks. It is highly recommended that you use Type 5 encryption instead of Type 7 where possible. Type 5 encryption is used by the enable secret command to specify an additional layer of security over the enable password command. The enable secret command takes preference over the enable password command. The username secret command also uses Type 5 encryption.
Tip
The following URL is an index of password recovery procedures for most Cisco products:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml
Creating strong passwords is one of the most important issues in device security. Users at times create very simple passwords using their pet names, maiden name, birth dates, or other similar known terms. These passwords are easily crackable using dictionary or brute force attacks. An alternative would be to use a completely random combination of numbers and symbols, but that is not very practical and very difficult to remember. To help remember passwords, users write them down and keep them under their keyboard or save them in a text file on their computers. These practices are counter to good security practices.
A strong password is one that is at least eight to ten characters and includes a combination of letters (uppercase and lowercase combination), numbers, and special symbols (example: !@#$%^&,.*). Here again, combining characters and symbols can create a password that is difficult to remember. Therefore, security administrators often favor using pass phrases.
One of the common techniques used today to create strong passwords that are easy to remember is to use a pass phrase. A pass phrase is a sentence or a word that is easy to remember. A strong password can be derived by using the first letter of each word from the pass phrase. In addition, passwords can be made even stronger by using a combination of upper- and lowercase letters, numbers, and using substitute techniques to replace a character that looks like a letter; for example, i=1, i=!, s=5, S=5, o=0. Another good technique is to replace any numbers with the uppercase of that number on the keyboard, for example, 1=!, 2=@, 3=#, and 4=$. Users can create different ideas to develop pass-phrase-based passwords resulting in a cipher text. What follows are some examples of pass phrases:
I can never remember my password = !cNrmp
Quarter pounder with cheese = .25#erwchz
How many times do I need to change my password? = hmtd!n2cmp?
All people seem to need data processing = Ap$2Ndp!ng
Take a long walk off a short pier = taLw0a5P
Sticks and stones will break my bones! = S&5wBmB!
Skilift = Sk1l1ft or Sk!l!ft
Tip
In Cisco IOS Software Release 12.3(1) and later, the security passwords min-length command is available to set the minimum character length for all passwords. The security passwords min-length command provides enhanced security access by specifying the minimum password length, thereby eliminating common passwords that are prevalent on most networks, such as "admin" or "cisco." This command affects user passwords, enable passwords, enable secret, and line passwords. After this command is enabled, any new password that is less than the specified length will fail, but the existing passwords will function.
In Cisco IOS Software Release 12.3(1) and later, the security authentication failure rate command is available to configure the number of allowable unsuccessful login attempts. The security authentication failure rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are no continuous failures to access the router—for example, to combat a brute force type attack.
The service password-encryption command in global configuration mode is used to encrypt passwords in the configuration and prevents unauthorized users from viewing the password in the configuration. Therefore, if someone executed show run during a clear-text Telnet session, the protocol analyzer would display the password. However, if service password-encryption is used, the password would be encrypted even during the same clear-text Telnet session.
Note
Passwords configured prior to configuring the service password-encryption command will not be encrypted. For the passwords to be encrypted, they must be reentered into the configuration after the service password-encryption command is issued.
Bypassing device configuration and allowing complete access to the device can be achieved following a very simple and well-documented procedure. Physical or console access is required to the device so it can reboot or power cycle to perform the procedure. Cisco IOS software provides a password recovery procedure that relies on gaining access to ROMMON. To access ROMMON mode, the break key sequence needs to be entered on the keyboard within 60 seconds of reboot.
In ROMMON mode, the router software can be reloaded, at which time a new system configuration is prompted that includes a new password.
The password recovery procedure enables anyone with console access the ability to access the router and its network. The no service password-recovery is a security enhancement feature that prevents the completion of the break key sequence and the entering of ROMMON mode. It prevents users with console access from accessing the router configuration and clearing the password. It also prevents changes to the configuration register values and access to nonvolatile RAM (NVRAM).
The following message is seen during startup when the no service password-recovery command is configured:
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Copyright 1998 by cisco Systems, Inc.
C3600 processor with 65536 Kbytes of main memory
Main memory is configured to 64 bit mode with parity enabled
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
program load complete, entry point: 0x80008000, size: 0x10ce394
Self decompressing the image : ####################################
###################################################################
###################################################################
################################################# [OK]
Smart Init is disabled. IOMEM set to: 10
Using iomem percentage: 10
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
of the Commercial Computer Software—Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco Internetwork Operating System Software
IOS (tm) 3600 Software (C3640-IS-M), Version 12.3(3), RELEASE SOFTWARE (fc2)
Copyright 1986-2003 by Cisco Systems, Inc.
Compiled Mon 18-Aug-03 19:03 by dchih
Image text-base: 0x60008950, data-base: 0x61B3E000
The following list outlines a few methods for recovering from a lost password when the no service password-recovery command is configured. These methods involve destroying the startup configuration; hence all configurations will be lost.
Devices that have NVRAM chips can be removed and reseated. The NVRAM is implemented using battery-backed up static RAM (SRAM). Removing the SRAM erases the contents of NVRAM, which contain the no service password-recovery configuration.
Other devices use an electrically erasable programmable read-only memory (EEPROM) to hold the configuration. The EEPROM is not erased when removed and is reseated; hence, recovery is not possible. (Contact the Cisco TAC support center for further assistance.)
Another way to recover the lost password when the no service password-recovery command is configured becomes possible during the rebooting process of the router. (You must have console access to perform this task.) During the rebootubf process, press the break-key sequence combination within five to ten seconds of the image decompressing (when you see the message Image text-base:.... on the console screen). At this point, the software will prompt you to reset the router to the factory default configuration. See the sample output captured for this process that follows.
System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Copyright 1998 by Cisco Systems, Inc. C3600 processor with 65536 Kbytes of main memory Main memory is configured to 64 bit mode with parity enabled PASSWORD RECOVERY FUNCTIONALITY IS DISABLED program load complete, entry point: 0x80008000, size: 0x10ce394 Self decompressing the image : ######################################################### ################################################################################## ###### ####################################################################### [OK] Smart Init is disabled. IOMEM set to: 10 Using iomem percentage: 10 Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph of the Commercial Computer Software—Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. Cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) 3600 Software (C3640-IS-M), Version 12.3(3), RELEASE SOFTWARE (fc2) Copyright 1986-2003 by Cisco Systems, Inc. Compiled Mon 18-Aug-03 19:03 by dchih Image text-base: 0x60008950, data-base: 0x61B3E000 hit CTRL-BREAK sequence here PASSWORD RECOVERY IS DISABLED Do you want to reset the router to factory default configuration and proceed [y/n] ? y Reset router configuration to factory default. Cisco 3640 (R4700) processor (revision 0x00) with 59392K/6144K bytes of memory. Processor board ID 09196037 R4700 CPU at 100Mhz, Implementation 33, Rev 1.0 Bridging software. X.25 software, Version 3.0.0. SuperLAT software (copyright 1990 by Meridian Technology Corp). 2 Ethernet/IEEE 802.3 interface(s) 2 Voice FXO interface(s) 2 Voice FXS interface(s) DRAM configuration is 64 bits wide with parity enabled. 125K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) 8192K bytes of processor board PCMCIA Slot0 flash (Read/Write) 20480K bytes of processor board PCMCIA Slot1 flash (Read/Write) [OK][OK] SETUP: new interface Ethernet0/0 placed in "shutdown" state SETUP: new interface Ethernet1/0 placed in "shutdown" state Press RETURN to get started! Router>
Note
Use the following link for standard break-key sequence combinations for most applications, operating systems, and platforms, and to get some tips on how to troubleshoot related problems: http://www.cisco.com/warp/public/701/61.html.
Tip
Use the following links to recover a device when the no service password-recovery feature has been enabled:
User identification can best be achieved with a combination of the username and password parameters. The previous section discussed how to create strong passwords that can be used to authenticate a user. This section elaborates on the combination of the two.
To establish a credential-based authentication system, you can create usernames on a device for all device operators. Usernames configured from global configuration mode are stored in device's local database. Give each operator a login username for the device. This allows you to track which user makes changes to the configuration and can be useful for billing and accounting purposes. The login accounts are created with the username command and can be assigned different privilege levels and passwords. (Privilege levels are discussed in more detail later in the chapter.) Also note that when using the username secret command, the password will be encrypted as an MD5 hash.
Router(config)# username {username} password {password} Router(config)# username {username} secret {password} Router(config)# username {username} privilege {priv_level}
User accounts can be used for several applications—for example, console or vty lines, VPN users, and remote dial-in users. Accounts that are no longer required should be removed from the configuration.
A more scalable and preferred approach is to use the authentication, authorization, and accounting (AAA) technology, which is discussed in detail in the second part of this book, "Identity Security and Access Management."
Cisco IOS provides 16 privilege levels ranging from 0 to 15. By default, there are three predefined user levels in IOS:
Privilege level 0 includes the disable, enable, exit, help, and logout commands.
Privilege level 1 is the User EXEC mode. This is the normal level on Telnet and includes all user-level commands at the Router> prompt.
Privilege level 15 is the Privileged EXEC mode (also known as enabled mode). It includes all enable-level commands at the Router# prompt.
All Cisco IOS commands are pre-assigned to levels 0, 1, or 15. Levels 2 through 14 are available as user-defined (customized) modes.
The global configuration privilege {mode} level {level} command is available to change, move, or set a privilege for a command to any of these levels. The {mode} refers to different modes on the router, such as exec or configure.
The line configuration mode privilege level {level} command is used to change the default privilege level for a given line or a group of lines.
Example 3-1 shows a user account "yusuf" created with privilege level 5, and several IOS (privilege 15) commands are moved to level 5 to be available for this user.
Router(config)# username yusuf privilege 5 password cisco Router(config)# privilege exec level 5 show run Router(config)# privilege exec all level 5 clear Router(config)# privilege exec level 5 write memory Router(config)# privilege exec level 5 configure terminal Router(config)# privilege configure level 5 interface |
Although the previous example shows local authentication, more granularities in control of the device can be achieved with the implementation of TACACS+ Command authorization using the AAA paradigm (discussed in Part II of this book). RADIUS does not support Command authorization.
The command show privilege displays the current privilege level. The enable password level command can be used to set the password for a particular privilege level.
As discussed in Chapter 2, "Access Control," Infrastructure ACLs are applied to explicitly filter traffic destined to the device addresses. The ACL is applied inbound on all externally facing connections (such as peering connections and customer connections) to minimize the risk of direct infrastructure attack by explicitly permitting only authorized traffic to the infrastructure equipment.
Note
For more details and a configuration example of Infrastructure ACLs, refer to http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml.
To gain access to a device for administrative purposes, you can use three basic methods: the console port, VTY ports, and the auxiliary port, each discussed in detail in the sections that follow.
The console port is the default access method for device management and configuration. This type of connection is used to physically connect to the console port of a device via the TTY line 0. By default, the console port is not password configured. The connection to the console port should not be left logged in. Therefore, it's recommended to configure the timeout for EXEC sessions on the console line, so that if a user forgets to log out or leaves the session idle for an extended period, the device will log out the idle sessions automatically. Example 3-2 shows how to set up the console line for a password and enforcing automatic logout if the session is idle for more than ten minutes. The transport input none command prevents remote access to the TTY lines via reverse Telnet.
Router(config)# line console 0 Router(config-line)# exec-timeout 10 0 Router(config-line)# transport input none Router(config-line)# password <password> Router(config-line)# login Router(config-line)# end Router# |
Cisco IOS supports multiple remote interactive access connections serviced by a logical vty line to connect to the device. Cisco IOS supports more than 100 vty lines (depending on the IOS version and feature set). By default, five vty lines (0 to 4) are available using the line vty 0 4 command. Similar to the console port, vty lines have no passwords preconfigured. It is imperative to secure these lines with strong passwords and an access-control mechanism. Note that although the vty lines do not have a password set by default, they are still inaccessible until the login command is entered to allow remote logon. An ACL can also be used optionally to further secure access control to authorized users, thereby allowing access only from a restricted set of IP addresses.
You can use two common methods to access the vty lines: the Telnet and SSH protocols.
Example 3-3 shows you three procedures. First, it shows you how to configure VTY lines for Telnet access with a password. Second, it shows you how to apply an access list explicitly listing the hosts or networks from which remote administration will be permitted. And third, it shows how to set an exec session timeout.
Router(config)# access-list 10 permit host 10.1.1.1 Router(config)# access-list 10 permit host 10.1.1.2 Router(config)# access-list 10 permit 192.168.1.1 0.0.0.255 Router(config)# access-list 10 deny any log Router(config)# line vty 0 4 Router(config-line)# access-class 10 in Router(config-line)# exec-timeout 10 0 Router(config-line)# transport input telnet Router(config-line)# password <password> Router(config-line)# login Router(config-line)# end Router# |
The IP access-list number 10 in Example 3-3 is used to identify the hosts that are allowed to connect to the device through the VTY ports. Good practice is to have these IP addresses on an internal or trusted network. Be careful, though, when allowing IP addresses from external networks via the Internet. For more details on access lists, see Chapter 2. The transport input telnet command restricts the management interface to Telnet protocol only. (Telnet protocol uses TCP port 23.) If required, configure transport input all or selective protocols, which will allow for all supported protocols (for example, X.3 PAD, Async over ISDN v120, DEC MOP, TCP/IP Telnet, UNIX rlogin, UDPTN async via UDP, and TCP/IP SSH protocol).
Telnet is the most popular protocol used to access a router for administrative purposes, yet it is important to understand that it is the most insecure. All communications in the Telnet session are in clear text, and there are many attacks known to capture the Telnet session and view and/or capture the session information. A more reliable and secure method for device administration is to use Secure Shell (SSH) protocol.
SSH provides strong authentication and encryption using strong cryptographic algorithms. SSH uses TCP port 22. Two versions of SSH are available: SSH protocol Version 1 and Version 2. SSH Version 1 is an improvement over using clear-text Telnet. However, some fundamental flaws exist in the SSHv1 protocol. SSH Version 2 is a rework and stronger version of SSH.
SSH coupled with the AAA authentication mechanism using TACACS+ or RADIUS provides the best solution for a secure, scalable access mechanism. Example 3-4 shows how to configure SSH for vty lines. (AAA configuration examples are available in Part II of this book.)
Router(config)# hostname R1 R1(config)# username cisco password cisco R1(config)# ip domain-name syd.cisco.com R1(config)# crypto key generate rsa R1(config)# access-list 10 permit 10.1.1.1 R1(config)# access-list 10 permit 10.1.1.2 R1(config)# access-list 10 permit 192.168.1.1 R1(config)# access-list 10 deny any log R1(config)# line vty 0 4 R1(config-line)# access-class 10 in R1(config-line)# exec-timeout 10 0 R1(config-line)# transport input ssh R1(config-line)# password <password> R1(config-line)# login R1(config-line)# end R1# |
The transport input ssh command stipulates that only the SSH protocol may be used for interactive logins to the router. Any sessions using Telnet protocol will be denied.
Note
SSH requires having a Crypto IOS image.
Some devices have an auxiliary (aux) port available for remote administration via a dialup modem connection. In most cases, the aux port should be disabled by using the no exec command under line aux 0.
A modem should be connected to the aux port with no alternatives for backup or remote access methods to the device only if it is absolutely necessary. Through a simple war-dialing technique, an intruder can find a rogue modem; hence it is necessary to apply authentication for access control to the aux port. As discussed earlier, all connections to the device (including aux port) must require authentication (using individual user accounts) for access, either using local authentication or via AAA servers using TACACS+ or RADIUS.
For enhanced security, IOS callback features can be implemented. Refer to Cisco documentation for information about connecting modems on aux ports and configuring callback features.
Banners are informational messages that can be displayed to users who connect to the device. Banners are important messaging tools used to warn the unauthorized users of their activity and most importantly to warn them they are being monitored and logged. Banner messages are very useful for law enforcement.
There are five types of banner messages:
Message-of-the-day banner (MOTD): A message-of-the-day (MOTD) banner is displayed when a user connects to the router on all connected terminals. This banner is displayed at login and is useful for sending messages that affect all network users. The banner motd command in global configuration mode can be used to configure a MOTD banner message.
Login banner: A login banner is configured to be displayed on all connected terminals. This banner is displayed after the MOTD banner appears and before the login prompt. The banner login command in global configuration mode can be used to configure a login banner message.
EXEC banner: Depending on the type of the connection, an EXEC banner is displayed after the user successfully logs in to the router. An EXEC banner is configured to be displayed whenever an EXEC process is initiated. For example, this banner is displayed to users telneting to the system after entering their usernames and passwords, but before the user EXEC mode prompt is displayed. The banner exec command in global configuration mode can be used to configure an EXEC banner message.
Incoming banner: An incoming banner is displayed on terminals connected to reverse Telnet lines, usually initiated from the network side of the router. This banner is useful for providing instructions to users. The banner incoming command in global configuration mode can be used to configure an incoming banner message.
SLIP-PPP banner message: Default banner messages have been known to cause connectivity problems in some non-Cisco Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP) dialup software connections. The SLIP-PPP banner message can now be customized to make Cisco SLIP and PPP compatible with non-Cisco dialup software. The banner slip-ppp command in global configuration mode can be used to configure an incoming banner message.
An example of a login banner follows:
***************************************************************** * WARNING: This is a controlled access system with login * * restricted to authorized personnel. Unauthorized access * * is a criminal offense under the Computer Misuse Act of 1990. * * Any unauthorized access attempt will be investigated and * * prosecuted to the full extent of the law. * * -------------------------------------------------------- * * YOUR LOGIN DETAILS HAVE BEEN CAPTURED AND LOGGED * * -------------------------------------------------------- * * If you are not an authorized user, disconnect now. * *****************************************************************
Banners can be customized by using banner tokens. Tokens are keywords in the form $(token) that, when used in a banner message, display the currently configured value of the token argument (for example, the router hostname, domain name, or IP address). By using these tokens, you can allow customized banners to be designed that display current Cisco IOS configuration variables. Only Cisco IOS-supported tokens may be used. There is no facility to define user-defined tokens. Table 3-1 lists the tokens supported by the different banner commands.
Token | Description | motd banner | login banner | exec banner | incoming banner | slip-ppp banner |
---|---|---|---|---|---|---|
$(hostname) | Router hostname | Yes | Yes | Yes | Yes | Yes |
$(domain) | Router domain name | Yes | Yes | Yes | Yes | Yes |
$(peer-ip) | IP address of the peer machine | No | No | No | No | Yes |
$(gate-ip) | IP address of the gateway machine | No | No | No | No | Yes |
$(encap) | Encapsulation type (SLIP or PPP) | No | No | No | No | Yes |
$(encap-alt) | Encapsulation type displayed as SL/IP instead of SLIP | No | No | No | No | Yes |
$(mtu) | Maximum transmission unit (MTU) size | No | No | No | No | Yes |
$(line) | VTY or TTY line number | Yes | Yes | Yes | Yes | No |
$(line-desc) | User-specified description of the line | Yes | Yes | Yes | Yes | No |
Cisco IOS Software has a number of services and protocols available on a device. Many of them are unnecessary in normal operation and can be susceptible to information gathering or network attacks. It is important to identify all the services on each device and ensure that they are configured appropriately (with hardened security). Only required services should be enabled on devices, and unnecessary services and protocols should be disabled. Limiting these unnecessary and unwanted services and protocols running on the device greatly enhances the device security and prevents it from being exploited by the known and unknown vulnerabilities.
The sections that follow outline some of the common services and protocols available in IOS and other Cisco devices such as firewalls. Some of these services are used for management (for example, Cisco Discovery Protocol [CDP], Simple Network Management Protocol [SNMP], Network Time Protocol [NTP], Hypertext Transfer Protocol [HTTP]). These management services must be tightly configured to allow access to authorized users only. Careful consideration should be taken to activate these services and protocols with hardened configuration.
In IOS Version 12.3T, a new feature was introduced to maintain at all times a secure working copy of the router IOS image and the startup configuration. In the event of a network downtime due to a compromise or any other disaster, the last thing to worry about is finding a valid copy of the IOS image and the configuration file. Time spent on recovering from such a catastrophe is critical, and speedy recovery is of utmost priority. The Cisco IOS Resilient Configuration feature enables a router to secure a working copy of the running image and configuration so that those files can withstand malicious attempts to erase the contents of persistent storage (NVRAM and flash). These secure files are protected by the IFS (IOS File System) and cannot be removed by the user. This set of IOS image and router running configuration is referred to as the primary bootset.
To enable the IOS Resilient Configuration feature, use the secure boot-image command from the global configuration mode to enable IOS image resilience. Use the secure boot-config command to store a secure copy of the primary bootset in the persistent storage.
The dir command will not list these secured files, because the IFS shields the secured files from being listed in a directory output. There is no restriction in the ROM monitor (ROMMON) mode, and files can be listed and used to boot from the secured files. To display the IOS resilience configuration and the primary bootset filename, use the show secure bootset command to verify archive existence.
CDP is a Cisco proprietary protocol for device discovery (media and protocol independent) that runs over OSI Layer 2 (the data link layer) on most Cisco devices (routers, bridges, access and communication servers, and switches). CDP displays information about other directly connected Cisco devices. Network management applications and intruders can map the network and retrieve valuable information of neighboring Cisco devices leveraging CDP.
CDP is enabled by default at the global level and on each supported interface to send and receive CDP information. However, on some interfaces, CDP is disabled by default (for example, on async interfaces).
CDP can be disabled globally for the device or on selected interfaces. The no cdp run command from the global configuration mode can be used to disable CDP for the entire device, as shown in Example 3-5.
Router# configure terminal Router(config)# no cdp run |
Alternatively, CDP can be disabled on a particular interface. The no cdp enable command from the interface configuration mode can be used to disable CDP per interface, as shown in Example 3-6.
Router# configure terminal Router(config)# interface <interface-id> Router(config-if)# no cdp enable |
The show cdp neighbors [detail] command can be used to display information about directly connected Cisco devices.
TCP and UDP small-servers can be used to access minor services from hosts on the network. TCP small-servers access the minor TCP services such as echo, chargen, discard, and daytime. UDP small-servers access minor UDP services such as echo, chargen, and discard.
By default, TCP and UDP small-services are disabled on all IOS versions except in Cisco IOS Software Version 11.2 and earlier. If these services have been enabled, they can be disabled using the no service tcp-small-servers and the no service udp-small-servers command from the global configuration mode.
The Finger protocol enables network users to obtain a list of all users currently using a device. The Finger service allows remote users to view the output equivalent to the show users [wide] command. The information displayed includes the processes running on the system, the line number, the connection name, the idle time, and the terminal location. Finger protocol uses TCP port 79. This information can be very useful for an intruder in the reconnaissance phase, because it gathers information about remote hosts and networks by examining such network services. As with all other minor services, the Finger service should be disabled if not required in the network.
By default, Finger protocol is disabled on all IOS versions beginning with Cisco IOS Software Version 12.1(5) and 12.1(5)T and later. (Finger protocol was enabled by default in previous versions.) If this service has been enabled, it can be disabled using the no ip finger or the no service finger command from the global configuration mode.
Identification (auth) protocol (Identd) allows any host to ask the router to identify itself. Identd can be used as a reconnaissance tool.
By default, identification support is disabled on all IOS versions. If this service has been enabled, it can be disabled using the no ip identd command from the global configuration mode.
The Dynamic Host Configuration Protocol (DHCP) server and client are integrated in Cisco IOS. DHCP is based on BOOTP and shares the well-known UDP server port 67 (per RFC 951, RFC 1534, and RFC 2131). When the BOOTP server and DHCP servers are disabled, all incoming packets on UDP port 67 are discarded, and ICMP port-unreachable messages are sent out in response.
The no ip bootp server and no service dhcp commands can be used to disable BOOTP and DHCP, respectively, from the global configuration mode.
Cisco routers or the flash memory device on the router can act as a TFTP server. The system sends a copy of the system image contained in ROM or one of the system images contained in flash memory to any client that issues a TFTP Read Request with this filename. This service must be disabled to prevent unauthorized reading and writing from the router flash memory.
By default, TFTP support is disabled on all IOS versions. If this service has been enabled, it can be disabled using the no tftp-server flash:[filename] command from the global configuration mode.
Similarly, Cisco routers can act as FTP servers. FTP service is used to transfer files to and from the router. For example, system image files, backup configs, and syslog data can be transferred to or from the router. This service must be disabled to prevent unauthorized reading and writing from the router.
By default, FTP server service is disabled on all IOS versions. If this service has been enabled, it can be disabled using the no ftp-server enable command from the global configuration mode.
Cisco IOS offers the facility to autoload device configuration directly from a server on the network to the device. There are several methods to achieve this, but none of them are recommended, because the process of passing the configuration file down to the device is in clear text and subject to unauthorized viewing in transition. Example 3-7 shows how to disable autoloading of configuration files from a network server.
Router(config)# no service config Router(config)# no boot network |
PAD service is used to enable all packet assembler/disassembler (PAD) commands and connections between PAD devices and access servers. By default, all PAD commands and associated connections are enabled.
To disable PAD, use the no service pad command from the global configuration mode.
The Cisco IOS software examines IP header options on every packet and supports the IP header options, including Strict Source Route, Loose Source Route, Record Route, and Time Stamp, defined in RFC 791. The IOS takes respective action as per RFC standards when encountering a packet with one of these options enabled. When the IOS encounters a packet with an invalid option, it sends out an Internet Control Message Protocol (ICMP) Parameter Problem message to the source of the packet and discards the packet.
IP protocol allows the source IP host to specify a route through the IP network. This provision is known as source routing. Source routing is specified as an option in the IP header. Source routing allows (or requires) the source of a packet to supply information with the message that will influence the route of that message as it passes through the network. When source routing is specified, the IOS forwards the packet according to the specified source route found in the message. This feature is employed to force a packet to take a certain route through the network and not follow the route in the routing table.
IP source routing can be used by an intruder to gain unauthorized path access by rerouting packets originally destined to use other network paths to itself. To prevent this and other forms of spoofing attacks, all devices should have this feature turned off. Various types of spoofing attacks and mitigation techniques are covered in Chapter 7, "Attack Vectors and Mitigation Techniques."
IP source route is enabled by default in all IOS as per RFC 1812, "Requirements for IP Version 4 Routers," which specifies that a router must support the source route option in the IP header and forward the packets accordingly, unless otherwise explicitly disabled. The command no ip source-route can be used to disable the IP source-route header options from the global configuration mode.
Proxy ARP is the technique in which a device, usually a router, replies for incoming ARP requests intended for other hosts.
By "faking" its identity, the router accepts responsibility for routing these packets to the "real" destination. All interfaces on Cisco devices are enabled to accept and respond to proxy ARP requests.
Proxy ARP, which is defined in 1027, is enabled by default on all interfaces.
The interface configuration mode command no ip proxy-arp can be used to disable Proxy ARP on a per-interface basis.
Although the intricacies, advantages, and disadvantages of using Proxy ARP are beyond the scope of this book, you should explore them on your own.
Note
For more details on Proxy ARP, visit http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml.
Gratuitous Address Resolution Protocol (gARP) is an unsolicited ARP broadcast containing the IP address of the client host and the router's MAC address. A Cisco router will send out a gARP message when a client connects and negotiates an address over a PPP connection. This transmission occurs even when the client receives the address from a local address pool.
Gratuitous ARP is enabled by default on all interfaces. To disable gARP, use the no ip gratuitous-arps command from the global configuration mode.
By default, IP directed broadcast is disabled under all the interfaces in all Cisco IOS Software Version 12.0 and later. In earlier IOS versions, the no ip directed-broadcast command was required to be applied on every interface known to forward broadcast packets. When an interface is configured with the no ip directed-broadcast command, all directed broadcast packets are dropped at the interface.
IP mask reply service is used to send an Internet Control Message Protocol (ICMP) mask reply message with subnet mask information for a particular network in response to the ICMP mask requests. An attacker can use this technique to aid in mapping a network.
By default, IP mask reply is disabled on all IOS versions. IP mask reply can be enabled on a per-interface basis using the ip mask-reply command under the interface configuration mode.
If this service has been enabled, the command no ip mask-reply under the interface configuration mode can be used to disable it.
When a packet received on an interface is required to exit out through the same interface on which it was received, an ICMP redirect message is sent to the host indicating the default gateway address to be used for subsequent forwarding. In earlier versions of IOS, if Hot Standby Router Protocol (HSRP) was configured on an interface, ICMP redirect messages were disabled by default for the interface. With Cisco IOS Release 12.1(3)T and later, ICMP redirect messages are enabled by default if HSRP is configured.
The no ip redirects command under the interface configuration mode can be used to disable IP redirect. This service should be disabled especially on untrusted network interfaces because it can be used to map the network.
When an IOS device receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP unreachable message to the source. In addition, an ICMP unreachable message is used to send a response to a host to inform it that the device cannot deliver the packet to the requested destination because it does not have a route to the destination address.
One of several common attacks an intruder can launch involves sending crafted packets to the device spoofing random source IP addresses for which the device has no route. This results in the device replying with an ICMP unreachable packet to all those spoofed hosts. In some cases, a reply to a large number of these requests containing unknown or invalid IP addresses can result in degradation in performance. To prevent such an occurrence and many other types of attacks, the ICMP unreachable message can be disabled under the interface mode shown in Example 3-8.
Router(config)# interface <interface-id> Router(if-config)# no ip unreachables |
Caution
In some configurations, such as certain types of tunnel structures, the use of ip unreachables is required. If the device must use the ICMP Unreachable feature, an alternative that alleviates performance degradation is to rate limit the number of replies using the ip icmp rate-limit {milliseconds} command in global configuration mode. In Cisco IOS 12.0 and later, the default rate limit is set to two packets per second.
One of the features Cisco IOS offers to manage the device is the HTTP protocol. The integrated web server in Cisco IOS allows for basic management using the web browser. If HTTP is not required, it is highly recommended that you disable it.
HTTP server is enabled using the ip http server command from the global configuration mode. The secure HTTP (HTTPS) server feature was also added from IOS version 12.2(15)T and later. Secure HTTP (HTTPS) can be enabled using the ip http secure-server command from the global configuration mode. The standard HTTP server and the secure HTTP server can run concurrently on a device. For increased security, it is recommended that you use the Secure HTTP (HTTPS) server and disable the standard HTTP server using the no ip http server command. This will ensure that secure data cannot be accessed through the standard HTTP connection. The show ip http server command can be used for detailed status information about the HTTP server.
By default, the HTTP server uses the standard TCP port 80, and Secure HTTP (HTTPS) uses the standard TCP port 443. These ports can be changed to user-defined ports by using the ip http port {port} command and the ip http secure-port {port} command, respectively. Only values above 1024 are accepted.
For more granular security, an authentication mechanism can be used for login when a client connects to HTTP server, coupled with an access list to restrict the access of HTTP service to authorized users only. The ip http access-class {access-list-number} command can be used to define sets of IP addresses and networks that are permitted or denied access. The ip http authentication command can be used to enable authentication using the AAA, enable, local, and tacacs methods.
If HTTP and HTTPS services are not required, they can be disabled by using the no ip http server command and no ip http secure-server commands, respectively, from the global configuration mode.
The heart of the time service is the system clock. The system clock starts at the beginning of every system startup keeping track of the current date and time. The system clock keeps track of time internally based on UTC, also known as Greenwich Mean Time (GMT). Local time zone and daylight savings time must be configured to reflect the correct time relative to the local time zone.
Note
On the high-end routers such as the 7500 and 12000 Series, the system keeps time on an internal clock, thus time is not lost during a reboot.
NTP is designed to synchronize the time on the device clock. An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server.
NTP is essential for syslog messages, and for troubleshooting and correlation activities. NTP uses UDP port 123 as both the source and destination and can be secured using an authentication mechanism that uses the MD5 algorithm. The ntp command from the global configuration mode can be used for all NTP-related configurations in the Cisco IOS.
SNMP is a widely used management protocol and defined set of standards for communication with devices connected to a TCP/IP network that are defined by the Internet Engineering Task Force (IETF). SNMP provides a means to monitor and control network devices and to manage configurations, statistics collection, and performance monitoring. SNMP is an application layer protocol that facilitates the exchange of management information between network devices. SNMP uses UDP ports 161 and 162.
Like other management protocols, SNMP is vulnerable to a variety of security threats. Numerous guidelines exist for configuring SNMP. If SNMP is not required in the network, it should be disabled on all devices.
There are a number of services available on Cisco devices, as discussed in earlier sections. It is a very difficult task to monitor and maintain the security level and to identify each service. To help with this task, Cisco IOS introduced a single CLI command, called Auto-Secure, which performs the following functions:
Disables common IP services that can be exploited for network attacks
Enables IP services and features that can aid in the defense of a network when under attack
In addition, this feature simplifies the security configuration of a router and hardens the router configuration. Auto-Secure is a valuable feature for people without special security operations applications, because it allows them to quickly secure their network without thorough knowledge of all the Cisco IOS security features.
The Auto-Secure feature is available in Cisco IOS Release 12.3(1) and later. The auto secure command in privileged EXEC mode can be used to secure the management and forwarding planes of the router. When executed, an interactive wizard prompts the user, unless the no-interact keyword is used, in which case the user is not prompted for interactive configurations.
The show auto secure config command can be used to display all configuration commands that have been added as part of the Auto-Secure process.
Note
For more information on the Auto-Secure feature, visit http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_guide09186a008017d101.html.
Caution
Prior to Cisco IOS Release 12.3(8)T, rollback of the Auto-Secure configuration is not available. The rollback feature is available in IOS Release 12.3(8)T and later. Rollback enables a router to revert back to its pre-autosecure configuration state, if the Auto-Secure configuration fails.