Cisco Basic Security

Cisco Router/Switch Hardening 

Cisco Router/Switch Hardening 

Colorado Springs Cisco Users Group

Colorado Springs Cisco Users Group

 April 8, 2003

 April 8, 2003

Cisco Router/Switch Hardening 

Cisco Router/Switch Hardening 

Colorado Springs Cisco Users Group

Colorado Springs Cisco Users Group

 April 8, 2003

 April 8, 2003

William

William

H.

H.

Gilmore

Gilmore

|

|

Scott

Scott

R.

R.

Hogg 

Hogg 

International Network Services

A

A

ge

ge

nda

nda



 IIntroductionsntroductions



 First Half First Half 



 What and why What and why 



 Methodology Methodology 



 Booting & BannersBooting & Banners



 Keeping Time and Logging Keeping Time and Logging 



 Services Need & Not Needed Services Need & Not Needed 



 Interface Hardening Interface Hardening 



  ACL¶s-o-plenty  ACL¶s-o-plenty 



 BBr r eeakak



 SSeecond Half cond Half 



 Cisco IOS Firewall Cisco IOS Firewall 



 SNMP VulnerabilitiesSNMP Vulnerabilities



  AAA AAA



 Securing Routers/SwitchesSecuring Routers/Switches



R

R

_out

_out

_e

_e

_{r/Switch Hard}

_{r/Switch Hard}

_e

_e

_nin

_nin

_g

_g



 WW

hat is hard

hat is harde

enin

ning?

g?



 Controlling AccessControlling Access 

 Eliminating undesired traffic Eliminating undesired traffic  

 Minimizing susceptibility to attacksMinimizing susceptibility to attacks



 WW

hy do

hy do

II

n

nee

eed it

d it?

?



 Control who can access what whenControl who can access what when 

 OptimizOptimize e device reliability and device reliability and efficiency efficiency  

 Eliminate the possibility of many well Eliminate the possibility of many well known attacks toknown attacks to

improperly configured devices improperly configured devices

M

M

_e

_e

_thodolo

_thodolo

_g

_g

_y

_y



 PP

rovid

rovide

e

password prot

password prote

ection

ction





Confi

Config

gur 

ur e

e privil

privilege

ege lle

ev

ve

els

ls





Limit r 

Limit r e

emot

mote

e acc

acce

ess

ss





Limit local acce

Limit local acc

ess

ss





Display lo

Display log

gin bann

in banne

er 

r 





Confi

Config

gur 

ur e

e

SN

SN

MPMP





Confi

Config

gur 

ur e

e

lo

logg

ggin

ing

g

and NT

and NT

PP



 PP

rovid

rovide

e

oth

othe

er prot

r prote

ection m

ction me

echanisms

chanisms



 PP

rovid

rovide

e

anti-spoofin

anti-spoofing

g



 MM

iti

itig

gat

ate

e D

De

enial of S

nial of Se

ervic

rvice

e attacks

attacks



M

M

_e

_e

_thodolo

_thodolo

_g

_g

_y

_y





A

A

dditionally, on

dditionally, one

e

should includ

should include

e

th

the

e

followin

following

g

in

in

th

the

eir m

ir me

ethodolo

thodolog

gy.

y.



 Remove all services not needed Remove all services not needed  

 Enable strong passwords on all Enable strong passwords on all interfacesinterfaces 

 Limit management capabilitiesLimit management capabilities





Don¶t tak

Don¶t take

e anythin

anything

g for 

for g

grant

rante

ed

d



B

_{oot ?}

Let¶s start at the beginning 



Default behavior 

boot flash boot rom

 Ex

plicitly define which softwar e image to be run

boot system flash c3640-js-mz.122-10a.bin boot system rom

A

Little Legalese

P

_lease!

 Y

our router is public domain unless you post No

Tr espassing Signs

 I

f you cannot identify

 What occurred   Where

 When

B

_anners



banner login



banner motd ^C

banner motd ^C

************************************************************* !! ONLY AUTHORIZED USERS ARE ALLOWED TO LOGON UNDER PENALTY OF LAW !!

This is a private computer network and may be used only by direct permission of its owner(s). The owner(s) reserves the right to monitor use of this network to ensure network

security and to respond to specific allegations of misuse. Use of this network shall constitute consent to monitoring for these and any other purposes. In addition, the owner(s) reserves the right to consent to a valid law enforcement

request to search the network for evidence of a crime stored within this network.

************************************************************* ^C

Time Synchronization



Do you know what time it is?



Use NT

P

to synchronize the routers clock to a

high-level NT

P

_Server 

 Stratum 1 GPS radio

 Stratum 1 or 2 clock from ISP or NIST   Review http://www.ntp.org for NTP info 

Use NT

P

A

uthentication

clock timezone MST ±7  ntp authentication-key 1 md5 <SECRETKEY>  ntp authenticate ntp update calendar 

Logging ±

W

_{ho¶s the Hall}

M

_onitor ?



Use service timestamps

service timestamps debug datetime

service timestamps log datetime msec localtime



Configur e syslog server(s)

logging 10.2.3.4

logging facility local7 



Decide what to log

logging trap informational logging console warnings



Decide wher e to log from

logging source-interface loopback0



B

uff er those messages

logging buffered 4096 

Tuning the

IP

_stack



Nagle congestion control algorithm

service nagle (See RFC 896)



Limit embryonic TC

P

connections

ip tcp synwait-time 10 (30 seconds default)



O

ther special cases

Tuning the C

P

_U

 G

uarantee C

P

U

time for vital

processes

scheduler-interval 500 (500 milliseconds)

 Mor e granular on Cisco 7200 & 7500 platforms

scheduler allocate 500 100

(500 microseconds per clock cycle on fast-packet switching) (100 microseconds per clock cycle on processes switching)

Services - Needed

 service password-encryption  service tcp-keepalives-in  service tcp-keepalives-out

 service timestamps debug datetime

Services ± Not Needed

 no cdp run (be careful)

 no boot network (older command)  no service config

 no ip source-route

 no service finger (older command)  no ip finger  no ip identd   no service pad   no service tcp-small-servers  no service udp-small-servers  no ip bootp server

 no snmp-server (more on this later)  no tftp-server

I

_{nterface Hardening}

 no cdp enable  ip accounting access-violation  no ip directed-broadcast  no ip redirects  no ip unreachables no ip mask-reply   no ip proxy-arp  no mop enabled   shutdown

A

CL -

G

_eneral



B

asic

access-list 1 permit 1.1.2.0 0.0.1.255



Ex

tended with r emark

access-list 100 remark telnet access list access-list 100 permit tcp host

1.1.1.1 2.2.2.0 0.0.0.255 telnet



Type-Code

access-list 200 permit 0x0000 0x0d0d 



Named

ip access-list standard allow-telnet

remark machine from which telnet is accepted   permit 1.1.1.1

 permit 2.2.2.2

A

CL ± Time

B

_ased

access-list 100 remark Only allow IP traffic during open hours

access-list 100 permit ip any any time-range only-during-open-hours

!

time-range only-during-open-hours absolute start 00:00 01 January 2002 periodic weekdays 7:30 to 18:30

periodic Saturday 8:30 to 13:30 periodic Sunday 8:30 to 18:30

A

CL ± Lock & Key

interface ethernet0

ip address 172.18.23.9 255.255.255.0 ip access-group 101 in

access-list 101 permit tcp any host 172.18.21.2 eq telnet

access-list 101 dynamic mytestlist timeout 120 permit ip any any

line vty 0 login local

A

CL ± TC

P I

_ntercept



Syn Flood

P

rotection for Servers



Two

M

odes

 Watch ± Watches and terminates incomplete connections.  Intercept ± Attempts to complete connection with client on

behalf of server. If successful, creates a connection to server. If unsuccessful, closes connection to client.

access-list 120 remark Web Servers

access-list 120 permit tcp any 1.1.1.0 0.0.0.255 ip tcp intercept list 120

ip tcp intercept mode watch

ip tcp intercept connection-timeout 60 ip tcp intercept watch-timeout 10

A

CL ±

R

_efle

x

_ive

interface Serial 1

description Access to the Internet via this interface ip access-group inboundfilters in

ip access-group outboundfilters out !

ip reflexive-list timeout 120 !

ip access-list extended outboundfilters  permit tcp any any reflect tcptraffic !

ip access-list extended inboundfilters  permit bgp any any 

 permit eigrp any any  deny icmp any any  evaluate tcptraffic

A

CL ±

R

_everse

P

_{ath Forward}

ip cef distributed !

int eth0/1/1

ip address 192.168.200.1 255.255.255.0 ip verify unicast reverse-path 197

!

int eth0/1/2

ip address 192.168.201.1 255.255.255.0 !

access-list 197 deny ip 192.168.201.0 0.0.0.63 any log-input access-list 197 permit ip 192.168.201.64 0.0.0.63 any log-input access-list 197 deny ip 192.168.201.128 0.0.0.63 any log-input access-list 197 permit ip 192.168.201.192 0.0.0.63 any log-input

A

CL ±

W

_her e

I

_C

MP

_{is Needed}

 I

C

MP

is used to determine the

M

TU for a TC

P

connection.

access-list 110 permit icmp any any packet-too-big



To allow outbound

I

C

MP

, use:

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any parameter-problem

access-list 102 permit icmp any any source-quench

access-list 102 deny icmp any any log



To allow outbound UN

IX

 /Cisco Traceroute:

A

CL - Turbo



Turbo ACLs introduced in 12.1.5T

for high-end Cisco routers

 Time taken to match the packet is fixed 

 Latency of the packets is smaller and, more importantly, consistent   Allows better network stability and more accurate transit times.



P

rocesses ACLs mor e efficiently

access-list compiled 

Limit Traffic To the

R

_outer 

 Limit traffic that can terminate at router 

 NTP   Telnet   SNMP   HTTP   TFTP 

 Only allow traffic to the router that should

terminate on the router 

 Only allow traffic through the router that is

sourced from or destined to known networks

Limit Traffic Through the

R

_outer 

A

KA - Anti-Spoofing

R

_ules



A

nti-spoofing is used to pr event your router from

transmitting data for addr ess patterns that don¶t

make sense!

Inbound to address not within your network. Inbound from addresses that should be

within your network 

Inbound from non-assigned addresses

(Bogons)

Outbound from RFC 1918 Private

 Addresses

Outbound from addresses not within your 

A

nti-spoofing ACL

! RFC 1918 p rivate networks

access-list 100 d eny i  p 10.0.0.0 0.255.255.255 any  access-list 100 d eny i  p 172.16.0.0 0.15.255.255 any  access-list 100 d eny i  p 192.168.0.0 0.0.255.255 any 

! H istorical Broad cast

access-list 100 d eny i p host 0.0.0.0 any 

! L oo  pb ack (IANA)

access-list 100 d eny i  p 127.0.0.0 0.255.255.255 any 

! u nassigned  add ress s p ace

access-list 100 d eny i  p 128.0.0.0 0.255.255.255 any 

! linklocal (IANA)

access-list 100 d eny IP 169.254.0.0 0.0.255.255  any 

! ( 191/8  emergency yet u sed )

access-list 100 d eny i  p 191.255.0.0 0.0.255.255 any 

! Net root LV  lab  (IANA)

access-list 100 d eny IP 192.0.0.0 0.0.0.255  any 

! Ex am  p le network (IANA)

access-list 100 d eny IP 192.0.2.0 0.0.0.255  any 

! ???? 

access-list 100 d eny i  p 223.255.255.0 0.0.0.255 any 

! Mu lticast A dd resses

access-list 100 d eny i  p 224.0.0.0 15.255.255.255.255 any 

! R eserved C lass E 

access-list 100 d eny i  p 240.0.0.0 15.255.255.255 any 

! Exp licit Deny 

Cisco

I

O

_{S Fir ewall}

 P

art of the Cisco Secur e product

family



Security-specific option for Cisco

IO

_{S softwar e}

 I

ntegrates robust fir ewall

functionality and intrusion

detection for every network

perimeter 

 E

nriches e

x

isting Cisco

IO

S

security capabilities



Adds gr eater depth and fle

x

ibility to

e

x

_{isting Cisco}

IO

_{S security}

solutions

Cisco

I

O

_{S Fir ewall -}

_I

_nfo

Supported Hardware



Cisco 1700, 2600, 3600, 7100, 7200, 7500, and

R

S

M

Supported Functionality 

 Context-Based Access Control (CBAC)  Java blocking   Denial-of-service (DoS)

detection and prevention

 Real-time alerts   Audit trail 

  Authentication proxy (for 

 Intrusion detection

 Dynamic port mapping   Simple Mail T ransfer 

Protocol (SM T P) attack  detection and prevention

 Configurable alerts and 

audit trail 

 IP fragmentation attack 

Conte

x

_t-

B

_{ased Access Control}

AN IS serial et ernet O tside I_nterface:

Access- ist loc ing all in o nd traffic to

e ins ected CB_AC

I_nside I_nterface:

Access- ist allo ing all accepta le traffic o t o nd, incl ding traffic to e inspected

I

O

_{S Fir ewall}

_Ex

_ample

interface Serial0/0 ip access-group 116 _in ip inspect myfw in ip auth-proxy mywebproxy «

access-list 116 _{permit tcp any any eq www}

access-list 116 _{permit tcp any any eq smtp}

access-list 116 _{deny ip any any}

«

ip inspect name myfw http timeout 3600 ip inspect name myfw smtp timeout 3600 «

Simple Network

M

_anagement

P

_rotocol



SN

MP

v1

 U biquitous support 

 Clear text Community Strings



SN

MP

v2c

 Security the same as SNMPv1 ± just a feature upgrade  Hierarchical Network Management 

 Get-bulk and Inform operators added   New PDU format for traps introduced   64 bit counters (32 bit used for SNMPv1)



SN

MP

v3

 Encrypted user-based authentication and data  View-Based Access Control Model (VACM)

SN

MP

_{Vulnerabilities}



Cert/CC SN

MP

Advisory

 Issued Feb 12 th, 2002 (CA-2002-03)



SN

MP

implementations lack boundary checking

and error handling which leads to buff er overflows

 B

ounce attacks



Known e

x

ploits e

x

ist and ar e publicized



D

O

S attacks for routers, wir eless A

P

s,

W

indows,

and printers



A

pply vendor patches promptly after testing

Securing SN

MP



Setup SN

MP

Community with an access-list

no snmp community public no snmp community private access-list 1 permit 1.1.1.1

snmp-server community hard2guess ro 1

snmp-server enable traps snmp authentication



Setup SN

MP I

nforms

snmp-server enable traps

snmp-server host 1.1.1.1 informs version 2c public



Setup SN

MP

View

 SNMP view command can block the user with only access to

limited Management Information Base (MIB) information.

snmp-server view MyView ifEntry.*.1 included

Securing SN

MP

_(cont.)



S

e

tup SN

MP

V

e

rsion 3



Example:

snmp-server user user1 grp1 v3 snmp-server user user2 grp2 v3

snmp-server user user3 grp3 v3 auth md5 pass3

snmp-server user user4 grp4 v3 auth md5 pass4 priv des56 user4priv snmp-server group grp1 v3 noauth

snmp-server group grp2 v3 noauth read myview snmp-server group grp3 v3 auth

snmp-server group grp4 v3 priv

snmp-server view myview mib-2 included snmp-server view myview cisco excluded

A

ccess

 Befor e deciding how to control router access, ask

these questions?

 Who needs access?

 When do they need access?  From where do they need 

access?

 During what time schedule

do they need access?

B

_{asic Authentication}



B

asic auth

e

ntication stor 

e

s passwords

as cl

e

ar t

e

x

_t



U

s

e

service password-encryption

 Encrypts passwords using a Vigenere cipher.  Can be cracked relatively easily 

 Does not encrypt SNMP community strings

no enable password



U

s

e

enable secret <password> 

Line Authentication (VT

 Y

_{, C}

O

_{N, AU}

_X

₎

 Use Access List to control VT Y access access-list 1 permit host 10.1.1.2

line vty 0 4

password 7 12552D23830F94 exec-timeout 5 0

access-class 1 in login

transport input telnet ssh  Control CON access line con 0 password 7 12552D23830F94 exec-timeout 5 0 login  Control AUX access line aux 0 no exec exec-timeout 0 0 no login

Secur e Shell (SSH)

 SSH is r ecommended over Telnet crypto key generate rsa

. . . [2048] . . .

ip ssh time-out 300

ssh authentication-retries 2

aaa new-model

aaa authentication login default group radius local aaa authorization exec default group radius local username joe password 7 28538539654412

line vty 0 4

transport input none transport input ssh

AAA



Secur e user logins with AAA on all ports, virtual

and physical

 Local AAA (username)

 RADI U S (Steel Belted Radius)  TACACS+ (Cisco Secure ACS)



Use privilege levels to control granular access to

AAA

Ex

_{ample for TACACS/}

R

_AD

I

_US

 Secur e user logins with AAA on all ports, virtual and physical

aaa new-model

aaa authentication login default group tacacs+|radius local aaa authorization exec default group tacacs+|radius local username backup privilege 7 password 0 backup

tacacs-server host 171.68.118.101 tacacs-server key cisco

radius-server host 171.68.118.101 radius-server key cisco

privilege configure level 7 snmp-server host privilege configure level 7 snmp-server enable privilege configure level 7 snmp-server

privilege exec level 7 ping

HTT

P

_Service



Ther e have been known vulnerabilities (buff er 

overflows) in the HTT

P

_service



Don¶t turn HTT

P

Services on unless absolutely

needed

 M

aybe desirable for some new switch hardwar e

 I

f used secur e the access with an ACL

no ip http server 

ip http access-class ACL#

ip http authentication {aaa|enable|local|tacacs} ip http port Number 

R

_outing

P

_{rotocol Vulnerabilities}

 Routing protocols deal with r e-routing around physical

failur es and ar e not robust enough to protect against attackers

 Intended for friendly environments

 Routers advertise themselves by chatting on the

network

 Routers show themselves  U  pdates, CDP, HSRP, VRRP 

 Types of Attacks:

 Routing Disruption Attacks

 Dynamic routing protocols can be exploited

 Traffic could then be re-routed (Transitive Community Modification)  Routing loop, black-hole, gray-hole, detour, asymmetry, partition  Resource Consumption/Saturation Attacks

B

G

_P

_{-4 Vulnerabilities}

 BGP-4 peers shar e updates between them

  Assumption is made that peer has authority to send the update and has a

correct AS-path

 Possible to advertise prefix/AS/Path maliciously   BGP-4 peers must be explicitly configur ed

 This limits the threat of a rogue router   Masquerading can still be possible

 Private peering policies ar e secr et  No authorization for advertisements  BGP Intruders

 Subverted BGP speakers, unauthorized BGP speakers, masquerading 

BGP speakers, subverted links

 Re-direct traffic for man-in-the-middle attacks or impersonation

 One must r ely on the filters and routing policy to check what

a peer is sending

R

_outing

P

_{rotocol Security}



Use distribute-lists to control routing updates



Use static routes when security is important and

connectivity is needed

 Internet 

 Business partners



Consider placing interfaces in passive

 passive-interface FastEthernet0/0

A

uthentication for Dynamic

R

_outing

P

_{rotocol Updates}

 Don¶t just route by rumor !

 Make sur e you know to whom you ar e exchanging

routes!

 Use authentication mechanisms for RIP V2, OSPF,

EIGRP _and BGP

 Pr e-Shar ed-Secr et keys still have issues

 Plain-text keys can still be sniffed 

 U se service password-encryption  Departed employees

 Use encrypted (MD5) passwords whenever possible

 Don¶t hold your br eath for PKI /digital certificates

M

_{D5 for} 

RIP

_v2

 Configuration Example:

key chain rabbitsfoot key 1 key-string RIPpasswd interface Loopback0 ip address 70.70.70.70 255.255.255.255 interface Serial0 ip address 142.106.0.10 255.255.255.252 ip rip authentication mode md5

ip rip authentication key-chain rabbitsfoot

M

_{D5 for} 

O

_S

_P

_F

 T he following are the commands used for message

digest authentication:

ip ospf message-digest-key keyid md5 key area area-id authentication message-digest

 Configuration example:

interface Ethernet0

ip address 10.10.10.10 255.255.255.0

ip ospf message-digest-key 1 md5 5 mypassword

router ospf 10

network 10.10.0.0 0.0.255.255 area 0 area 0 authentication message-digest

M

_{D5 for} 

EI

G

_RP

 Configuration Example:

Interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0 ip authentication mode eigrp 1 _md5

ip authentication key-chain eigrp 1 _holly

key chain holly

key 1

key-string 123456

accept-lifetime infinite router eigrp 1

M

_{D5 for} 

B

G

_P

 Configuration example:

 T he following example specifies that the router and its BGP peer  at 145.2.2.2 invoke MD5 authentication on the T CP connection between them:

router bgp 109

neighbor 145.2.2.2 password mypasswd

 Enable route dampening to minimize instability due to route flapping (RFC 2439)

router bgp 109 bgp dampening

show ip bgp flap-statistics

 BGP Filtering   Filter for Bogons  Use Communities

HS

RP

_{Vulnerabilities}



HS

RP

vulnerabilities ar e publicized



A

uthentication string is in clear-te

x

t



Code has been written to spoof HS

RP

packets



A

ttackers sends ³coop´ and pr e-empts other HS

RP

routers to assume the ³active´ role



Used for DoS or 

M

an-in-the-middle attack

 M

itigation through configuration and use of 

IP

Sec

 Set the standby priority to 255 on your routers

 U se IP addresses X.X.X.254, .253 for the legitimate router 

 P

lan with security in mind

 G

ood Designs simplify security



K

I

S

P

rinciple ± Keep

I

t Simple

 I

solate Default VLANs from Trunks

 VLAN1 ± The Dead VLAN

Layer 2 ± Start Things

O

_ut

_R

_ight

Layer 2 ± Vulnerabilities?



VLAN Hopping

 Modify tags on a trunked port 



How to

M

ake a Switch Act Like a Hub

 Flood as switch with random MAC Addresses  Forces switch to flood all packets to all ports



Network Sniffing with Switch

P

ort

 Requires arp spoofing tool with bridging software

 Send continuous arp replies to client on part of server 

convincing client that the interceptor is the server 

 Bridges traffic between client and server to insure

Layer 2 ±

B

_asic

P

_r evention

 M

anagement VLAN

 Change default to a randomly selected that is the same

across all switches

 Do not place users on VLAN

 Ex

plicitly configur e ports

 set port host <mod/port> 

 Turn trunking off / Turn portfast on

 E

nable

P

ort Level Security



Disable unused ports

 set port disable <mod/port> 



Turn on

BP

DU

G

uard

Layer 2 ±

M

_{or e Advance}

P

_r evention



VT

P

± VLAN Trunking

P

rotocol

 AKA - The Cisco Layer 2 Hackers Favorite DOS Tool!   Intended to maintain VLAN consistency 

 Risky to use under normal conditions

 Set all switches to VTP Transparent Mode



DT

P

± Dynamic Trunking

P

rotocol

 The Question - To Trunk or Not to Trunk 

 Can be manipulated to access all VLANS without the

Non-Cisco security tools

 Nmap ± Port scanning & fingerprinting

 Ndiff ± Compares nmap output for diffs

 Netcat ± Opening sockets & port

scanning

 Nessus ± Vulnerability scanner 

 Ncat ± Evaluates configs against the

R

_{ef er ences}



Secur e

IO

S Template,

R

ob Thomas

 http://www.cymru.com/Documents/secure-ios-template.html 

 R

outer Security Configuration

G

uide, NSA

 http://svcaacs.conxion.com/cisco/ 

 I

ncr easing Security on

IP

Networks, Cisco

 http://www.cisco.com/univercd/cc/td/doc/cisintwk/idg4/nd201

6.pdf 

 I

mproving Security on Cisco

R

outers