8 steps to protect your Cisco router



Similar documents
- Basic Router Security -

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

Security Audit CHAPTER21. Perform Security Audit

How To Secure Network Threads, Network Security, And The Universal Security Model

Network Security Knowledge is Everything! Network Operations

Center for Internet Security Gold Standard Benchmark for Cisco IOS

Internet Infrastructure Security Technology Details. Merike Kaeo

Cisco IOS Switch Security Configuration Guide

Linux Network Security

Hardening Network Devices. PacNOG15 Network Security Workshop

Configuring the MNLB Forwarding Agent

This chapter will focus on using routers and switches to increase the security of

Virtual Fragmentation Reassembly

Securing Cisco Network Devices (SND)

ICND IOS CLI Study Guide (CCENT)

Security and Access Control Lists (ACLs)

Firewall Authentication Proxy for FTP and Telnet Sessions

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

General Network Security

Leased Line PPP Connections Between IOS and HP Routers

Cisco Secure PIX Firewall with Two Routers Configuration Example

Output Interpreter. SHOW RUNNING-CONFIG SECURITY Analysis SHOW RUNNING-CONFIG - FW Analysis. Back to top

Introduction to Cisco router configuration

Implementing Secure Converged Wide Area Networks (ISCW)

CSCE 465 Computer & Network Security

co Characterizing and Tracing Packet Floods Using Cisco R

Lab Configure Basic AP Security through IOS CLI

CCNA Security. Chapter Two Securing Network Devices Cisco Learning Institute.

Terminal Server Configuration and Reference Errata

LAB II: Securing The Data Path and Routing Infrastructure

Firewall Firewall August, 2003

Network Security -- Defense Against the DoS/DDoS Attacks on Cisco Routers

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Adding an Extended Access List

Looking for Trouble: ICMP and IP Statistics to Watch

Configuring WCCP v2 with Websense Content Gateway the Web proxy for Web Security Gateway

FIREWALLS & CBAC. philip.heimer@hh.se

Securing Networks with PIX and ASA

Cisco IOS Firewall. Executive Summary

Lab Configure IOS Firewall IDS

Configuring the Cisco Secure PIX Firewall with a Single Intern

Cisco Configuring Commonly Used IP ACLs

Cisco ASA Configuration Guidance

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

CCNA Access List Sim

Introduction of Intrusion Detection Systems

Enabling Remote Access to the ACE

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Client Server Registration Protocol

Chapter 4: Lab A: Configuring CBAC and Zone-Based Firewalls

Lab Developing ACLs to Implement Firewall Rule Sets

School of Information Technology and Engineering (SITE) CEG 4395: Computer Network Management. Lab 4: Remote Monitoring (RMON) Operations

Troubleshooting IP Access Lists

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Firewalls, Tunnels, and Network Intrusion Detection

Basics of Internet Security

Task 20.1: Configure ASBR1 Serial 0/2 to prevent DoS attacks to ASBR1 from SP1.

Table of Contents. Configuring IP Access Lists

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewall Stateful Inspection of ICMP

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Secure Software Programming and Vulnerability Analysis

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Remote Access VPN Business Scenarios

Basics of Computer Networks Security

Tim Bovles WILEY. Wiley Publishing, Inc.

Controlling Access to a Virtual Terminal Line

Intrusion Detection Systems (IDS)

This Lecture. The Internet and Sockets. The Start If everyone just sends a small packet of data, they can all use the line at the same.

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

Cisco Configuring Secure Shell (SSH) on Cisco IOS Router

DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

BROCADE IRONSHIELD BEST PRACTICES: HARDENING Brocade ROUTERS & SWITCHES

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

One-Step Lockdown with Cisco SDM

PIX/ASA 7.x with Syslog Configuration Example

Troubleshooting the Firewall Services Module

CTS2134 Introduction to Networking. Module Network Security

Lab Configure Intrusion Prevention on the PIX Security Appliance

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Topics in Network Security

Security forefront network management implementation security challenge balance need to open networks need to protect informati informati n

Lab 7: Firewalls Stateful Firewalls and Edge Router Filtering

Strategies to Protect Against Distributed Denial of Service (DD

The 60 Minute Network Security Guide (First Steps Towards a Secure Network Environment)

A Model Design of Network Security for Private and Public Data Transmission

Network Security Administrator

Implementing Cisco IOS Network Security

C H A P T E R Management Cisco SAFE Reference Guide OL

Lab Configure Cisco IOS Firewall CBAC on a Cisco Router

Increasing Security on IP Networks

OLD DOMINION UNIVERSITY Firewall Best Practices (last updated: )

CISCO IOS NETWORK SECURITY (IINS)

Lab Configure Cisco IOS Firewall CBAC

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

Chapter 11 Cloud Application Development

Configuring a Backup Path Test Using Network Monitoring

Transcription:

8 steps to protect your Cisco router Daniel B. Cid daniel@underlinux.com.br Network security is a completely changing area; new devices like IDS (Intrusion Detection systems), IPS (Intrusion Prevention systems), and Honeypots are modifying the way people think about security. Companies are spending thousand of dollars on new security devices, but forgetting the basic, the first line of defense: the border router. Although a lot of people may think that routers don t need to be protect, they are completely wrong. A lot of secure problems appear all time against this kind of device and most of them are vulnerable. Some information about some common security problems found on Cisco Routers, can be read on the text Exploiting Cisco Routers, available at: http://www.securityfocus.com/infocus/1734 In this article I will give you 8 steps, easy to follow, to minimize your Cisco router exposure by turning off some unused services, applying some access control and applying some security options available on that. 1- Control Access to your router; 2- Restrict telnet access to it; 3- Block Spoof/Malicious packets; 4- Restrict SNMP; 5- Encrypt all passwords; 6- Disable all unused services; 7- Add some security options; 8- Log everything; 1- Control Access to your router The first thing to do is apply some rules to restrict all external access to some ports of the router. You can block all ports, but it is not always necessary. These commands bellow will protect your router against some reconnaissance attacks and, obviously, will restrict access to these ports: access-list 110 deny tcp any host $yourrouterip eq 7 access-list 110 deny tcp any host $yourrouterip eq 9 access-list 110 deny tcp any host $yourrouterip eq 13

access-list 110 deny tcp any host $yourrouterip eq 19 access-list 110 deny tcp any host $yourrouterip eq 23 access-list 110 deny tcp any host $yourrouterip eq 79 int x0/0 access-group in 110 Where $yourrouterip is your router IP and x0/0 is your external interface. We Will always use this convention in this article. 2- Restrict telnet access to it Telnet is not a very safe protocol to use, but if you really need to use it (you should always use ssh) you might want to restrict all access to it (remember that all your traffic will be unencrypted). The best way to accomplish that is using a standard access-list and the access-class command. access-list 50 permit 192.168.1.1 access-list 50 deny any log line vty 0 4 access-class 50 in exec-timeout 5 0 Where 192.168.1.1 is the IP address allowed to telnet the router 3- Block Spoof/Malicious packets You must never allow loopback/reserved IP address from the Internet reach your external interface and you can reject broadcast and multicast addresses too. access-list 111 deny ip 127.0.0.0 0.255.255.255 any access-list 111 deny ip 192.168.0.0 0.0.0.255 any access-list 111 deny ip 172.16.0.0 0.0.255.255 any access-list 111 deny ip 10.0.0.0 0.255.255.255 any access-list 111 deny ip host 0.0.0.0 any access-list 111 deny ip 224.0.0.0 31.255.255.255 any access-list 111 deny icmp any any redirect int x0/0 access-group in 111 4- Restrict SNMP

SNMP must always be restrict, unless you want some malicious person getting a lot of information from your network access-list 112 deny udp any any eq snmp access-list 112 permit ip any any interface x0/0 access-group 112 in And if you are not going to use SNMP at all, disable it: no snmp-server 5- Encrypt all passwords A very important thing to do is protect all your passwords using the powerful algorithm as possible. The password from exec mode, that grants privileged access to the IOS system, Can be set using a MD5 hash, which is the strongest option available on the Cisco IOS. enable secret $yourpassword All other passwords, you can encrypt using the Vigenere cipher that is not Very strong, but can help. To do that, you can use the service password-encryption Command that encrypts all passwords present in you system. service password-encryption 6- Disable all unused services 6.1 - Disable Echo, Chargen and discard no service tcp-small-servers no service udp-small-servers 6.2 - Disable finger no service finger 6.3 - Disable the httpd interface

no ip http server 6.4 - Disable ntp (if you are not using it) ntp disable 7- Add some security options 7.1 - Disable source routing no ip source-route 7.2 - Disable Proxy Arp no ip proxy-arp 7.3 - Disable ICMP redirects interface s0/0 (your external interface) no ip redirects 7.4 - Disable Multicast route Caching interface s0/0 (your external interface) no ip mroute-cache 6.5 - Disable CDP no cdp run 6.6 - Disable direct broadcast (protect against Smurf attacks) no ip directed-broadcast 8- Log everything To finish, you must log everything on an outside Log Server. You must everything from all your systems and always analyze the logs. logging trap debugging logging 192.168.1.10

where 192.168.1.10 is the ip of your log server (configured as a Syslog server) Conclusion With these simple steps you can add a lot of security to your router, protecting it against a lot of possible attacks, increasing your network security. Only as an example, you can see the nmap result before and after applying these options: Before: bash-2.05b# nmap -O 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.1): Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 23/tcp open telnet 79/tcp open finger 80/tcp open http Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1), Cisco IOS 11.3-12.0(11) After: bash-2.05b# nmap -P0 -O 192.168.1.1 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1601 scanned ports on (192.168.1.1) are: filtered Too many fingerprints match this host for me to give an accurate OS guess Nmap run completed -- 1 IP address (1 host up) scanned in 403 seconds

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information