- Disable unnecessary services – By default, Cisco routers run several optional services. These services can be used to give attackers information about the router that they can exploit to their advantage. You should disable the following services in global configuration mode:
- CDP (Cisco Discovery Protocol) – no cdp run
- Remote configuration – no service config
- Source Routing – no ip source-route
- Finger – no service finger
- Web Server – no ip http server
- SNMP – no snmp-server
- BOOTP – no ip bootp server
- TCP services – no service tcp-small-servers
- UDP services – no service udp-small-servers
Of course, if the router has an interface that is not in use, you should administratively shut down with the shutdown command. For the interfaces in use, you should do the following in interface configuration mode:
- no ip directed-broadcast
- no ip mask-reply
- no ip proxy-arp
2. Filter traffic, log denials, and spoofing prevention – Basically, you want to block all traffic that is not needed. Many times, figuring out what traffic is needed can be difficult. To do this, think about your network. What networks will be traversing this router? If this is an Internet-facing router, it shouldn’t be receiving any traffic from any private network IPs (RFC1918), so you should implement the following access-list:
Access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
Access-list 101 deny ip 172.16.0 0.15.255.255 any log
Access-list 101 deny ip 192.168.0 0.0.0.255 any log
Interface s0/0
! WAN Internet Interface
Ip access-group 101 in
As you might guess, you can get much more complex with this access-list.
3. Store Router logs and use a reliable time source – All of the access-list denials that are being logged above need to go to a log file. That log file will also contain any configuration changes to the router and any errors. To enable this to be held on the router, do the following in global configuration mode:
Logging on
Logging buffered 16384 [gives the router a 16MB buffer for logging]
However, a downside to holding this only on the router is that if the router reboots (or an attacker crashes it), all these logs will be lost. To send these logs to a syslog server, do the following:
Logging 1.1.1.1 [IP Address of Syslog server]
Service timestamps log datetime localtime show-timezone msec ! [enables the time to show up on the logs]
To make sure that the time on those logs is always up to date, configure your router to use a reliable time source using Network Time Protocol (NTP):
NTP server pool.ntp.org [this is a sample Internet-based free NTP Server]
4. Apply passwords to lines and privileged mode – There are three basic ways to access a router: console, aux, and vty. You must make sure that all three have passwords applied to them. Here is what to look for in your config file to double-check:
line con 0
login
password MyComplexPass
Exec-timeout 0 0
line aux 0
login
password MyComplexPass
Exec-timeout 0 0
line vty 0 4 !check to make sure that you don’t have more than 4 vty’s, as some routers do
login
password MyComplexPass
To access the router’s privileged modes, you must configure an “enable” password. When doing this, always use enable secret to encrypt the password with MD5 encryption, instead of enable password. Here is an example:
Enable secret MyComplexSecretPass
5. Use complex passwords, encrypt passwords, and prevent dictionary attacks – Make sure that you use long passwords on your router because this significantly decreases the chances of the router being compromised. To do this, use the command:
Security passwords min-length 6 [this sets the minimum password length to 6 characters]
Always make sure that all router passwords are encrypted with, at least, basic encryption. To do this, use this command:
Service password-encryption
You can prevent dictionary attacks by telling the router to accept logins only every 1 second and to block all logins to the router for 120 seconds if there are five failed attempts within 60 seconds. Use this command to do it:
login block-for 120 attempts 5 within 60
For more information, see the article “Protect your router from a DoS dictionary attack.”
For any local user accounts you configure, you should use the new command:
Username secret …
This will encrypt the password for that username with MD5 encryption.
6. Control who can access the router – For remote access, you need to restrict users who can manage the router based on their IP address and what protocol they can use to do it. To restrict management access by IP address, do the following:
Access-list 1 permit 192.168.1.0 0.0.0.255 [this is just a local LAN; you could lock it down to a single IP address]
Line vty 0 4
Access-class 1 in
7. Use SSH – Although many companies might use Telnet or HTTP to manage their routers, that is not recommended. I would highly recommend changing to Secure Shell (SSH) for all remote router management. This is because SSH is encrypted and the others are not. To enable SSH only, do:
Hostname myrouter [a router hostname is required]
Ip domain-name mydomain.com [a domain name is required]
Crypto key generate rsa [generate encryption keys]
Ip ssh timeout 60
Line vty 0 4
Transport input ssh
8. Secure routing protocols and optional services – If you are using any routing protocols, an attacker can manipulate these to take down your network. I recommend using a routing protocol that supports an encrypted password for route exchange. For example, here is how to configure OSPF to use encrypted passwords for security:
ip ospf message-digest-key key# md5 My$OSPFpassword [on each interface]
area X authentication message-digest [in the OSPF router configuration mode for each area]
If you must use optional services like HTTP Web-based management or SNMP, you must configure the most secure method to use them. For instance, if you are using HTTP Web-based management, change HTTP to use only encrypted passwords. If you are using SNMP, use a complex password and SNMP V3, which can encrypt passwords.
9. Prevent DoS Attacks – You want to stop others from shutting down your network links or shutting down your router entirely. One of the easiest commands you can use to help prevent DoS attacks is no ip directed-broadcast. IP directed-broadcasts are rarely needed and are typically exploited to reflect DoS attacks. Another simple way to prevent DoS attacks is to rate-limit ICMP packets. ICMP can be used to flood your network, causing a denial of service. To prevent that flood, do the following commands on each interface. (Note that you will want to tweak the bandwidth allowed, depending on the bandwidth of the network you are connected to; in this example, we are limiting all ICMP to 20 Kb.) You would want to apply the following on every Internet-facing interface:
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any echo
interface Serial 0/0
rate-limit input access-group 100 20000 8000 8000 conform-action transmit exceed-action drop
Prevention of every possible DoS attack can get very complex.
10. Keep the IOS patched – It’s not just Microsoft that comes out with frequent software patches; so does Cisco. You should keep up to date on the latest Cisco security advisories and patch your routers as regularly as possible. To view the latest Cisco patches for your Cisco device, go to the Cisco Security Advisories Web site. Another word of caution: Run the general deployment version of the Cisco IOS (the “GD” version). The GD version is considered to be the most stable version available. It should have the fewest bugs and security vulnerabilities.