NSA/SNACRouterSecurityConfigurationGuideExecutiveSummaryCard
ExecutiveSummary
ThiscardisasupplementtotheNSA/SNACRouterSecurityConfiguration
Guideversion1.0j.Itdescribesquickbuteffectivewaystotightenthe
securityofaCiscorouter,alongwithsomeimportantgeneralprinciplesfor
maintaininggoodroutersecurity.Formoreinformation,consultthe
sectionsofthemainguidelistedwitheachrecommendation.
GeneralRecommendations
1.Createandmaintainaroutersecuritypolicy.Thepolicyshould
identifywhoisallowedtologintotherouter,whoisallowedto
configureandupdateit,andshouldoutlinetheloggingand
managementpracticesforit.[Section3.4]
2.Commentandorganizetheofflineeditionofrouterconfigurationfile!
Thissoundsfluffydespitebeingabigsecuritywin.Also,keepthe
offlinecopyofallrouterconfigurationsinsyncwiththeactual
configurationrunningontherouters.Thisisinvaluablefor
diagnosingsuspectedattacksandrecoveringfromthem.[Section4.1]
3.Implementaccesslistfiltersbypermittingonlythoseprotocolsand
servicesthatthenetworkusersreallyneed,anddenyingeverything
else.[Section3.2,4.3]
4.RunthelatestavailableGeneralDeployment(GD)IOSversion.
[Sections4.5.5,8.3]
5.Testthesecurityofyourroutersregularly,especiallyafteranymajor
configurationchanges.[Section6]
SpecificRecommendations:RouterAccess
1.Shutdownunneededserversontherouter.Serversthatarenot
runningcannotbreak.Also,morememoryandprocessorslotsare
available.Startbyrunningtheshowproccommandontherouter,
thenturnoffclearlyunneededfacilitiesandservices.Someservers
thatshouldalmostalwaysbeturnedoffandthecorresponding
commandstodisablethemarelistedbelow.[Section4.2,4.5.3]
!Smallservices(echo,discard,chargen,etc.)
-noservicetcp-small-servers
-noserviceudp-small-servers
!BOOTP-noipbootpserver
!Finger-noservicefinger
!HTTP-noiphttpserver
!SNMP-nosnmp-server
2.Shutdownunneededservicesontherouters.Theseservicesallow
certainpacketstopassthroughtherouter,orsendspecialpackets,or
areusedforremoterouterconfiguration.Someservicesthatshould
almostalwaysbeturnedoffandthecorrespondingcommandsto
disablethemarelistedbelow.[Section4.1,4.2]
!CDP-nocdprun
!Remoteconfig.-noserviceconfig
!Sourcerouting-noipsource-route
!Classlessrouteing-noipclassless
3.Theinterfacesontheroutercanbemademoresecurebyusingcertain
commandsintheConfigureInterfacemode.Thesecommandsshould
beappliedtoeveryinterface.[Section4.1,Section4.2]
!Unusedinterfaces-shutdown
!NoSmurfattacks-noipdirected-broadcast
!Ad-hocrouting-noipproxy-arp
4.Theconsoleline,theauxiliarylineandthevirtualterminallinesonthe
routercanbemademoresecureintheConfigureLinemode.The
consolelineandthevirtualterminallinesshouldbesecuredasshown
below.TheAuxlineshouldbedisabled,asshownbelow,ifitisnot
beingused.[Section4.1]
!ConsoleLine-linecon0
exec-timeout50
login
transportinputtelnet
!AuxiliaryLine-lineaux0
noexec
exec-timeout010
transportinputnone
!VTYlines-linevty04
exec-timeout50
login
transportinputtelnet
5.Passwordscanbeconfiguredmoresecurelyaswell.Configurethe
EnableSecretpassword,whichisprotectedwithanMD5-based
algorithm.Also,configurepasswordsfortheconsoleline,the
auxiliarylineandthevirtualterminallines.Provideabasicprotection
forthepasswordsfortheselinesbyusingtheservicepassword-
encryptioncommand.Seeexamplesbelow.[Section4.1]
!Enablesecret-enablesecret02manyRt3s
!ConsoleLine-linecon0
passwordSoda-4-jimmY
!AuxiliaryLine-lineaux0
passwordPopcorn-4-sara
!VTYLines-linevty04
passwordDots-4-georg3
!Basicprotection-servicepassword-encryption
6.Donotdisclosethecontentsofyourrouterconfigurationfileto
unauthorizedindividuals.
SpecificRecommendations:AccessLists
1.Alwaysstartanaccess-listdefinitionwiththeprivilegedcommandno
access-listnnntoclearoutanypreviousversionsofaccesslist
nnn.[Section4.3]
East(config)#noaccess-list51
East(config)#access-list51permithost14.2.9.6
East(config)#access-list51denyanylog
2.Logaccesslistportmessagesproperly.Forreasonsofefficiency,
CiscoIOSdoesn''tlookatanentirepacketheaderunlessithasto.To
ensurethatlogscontaincorrectportnumberinformation,usethe
specialportrangeargumentsshownbelow.
noaccess-list106
access-list106denyudpanyrange165535
anyrange165535log
access-list106denytcpanyrange165535
anyrange165535log
access-list106denyipanyanylog
Thelastlineisnecessarytoensurethatrejectedpacketsofprotocols
otherthanTCPandUDPareproperlylogged.[Section4.3]
3.Allowonlyinternaladdressestoentertherouterfromtheinternal
interfaces,enforcethisusingaccess-lists.Blockillegaladdressesat
theoutgoinginterfaces.Besidespreventinganattackerfromusingthe
routertoattackothersites,ithelpsidentifypoorlyconfiguredinternal
hostsandnetworks.Thisapproachmaynotbefeasibleforvery
complicatednetworks.[Section4.3]
East(config)#noaccess-list101
East(config)#access-list101permitip
14.2.6.00.0.0.255any
East(config)#access-list101denyudpany
range165535anylog
East(config)#access-list101denytcpany
range165535anylog
East(config)#access-list101denyipanyanylog
East(config)#interfaceeth1
East(config-if)#ipaccess-group101in
East(config-if)#exit
East(config)#interfaceeth0
East(config-if)#ipaccess-group101out
Version1.0cUNCLASSIFIEDi
NSA/SNACRouterSecurityConfigurationGuideExecutiveSummaryCard
4.Blockpacketscomingfromtheoutside(untrustednetwork)thatare
obviouslyfakeorarecommonlyusedforattacks.Thisprotection
shouldbepartoftheoveralldesignfortrafficfilteringattherouter
interfaceattachedtotheexternal,untrustednetwork.[Section4.3,see
alsoRFC1918]
5.Blockpacketsthatclaimtohaveasourceaddressofanyinternal
(trusted)networks.ThisimpedessomeTCPsequencenumber
guessingattacksandrelatedattacks.Incorporatethisprotectioninto
theaccesslistsappliedtointerfacesconnectedtoanyuntrusted
networks.[Section4.3]
6.Blockincomingloopbackpackets(network127.0.0.0).Thesepackets
cannotbereal.BlockreservedIPaddresses(network10.0.0.0,
172.16.0.0-172.31.0.0,192.168.0.0).[Section4.3andRFC1918]
7.IfthenetworkdoesnotneedIPmulticast,thenblockmulticast
packets.
8.Blockbroadcastpackets.(NotethatthismayblockDHCPand
BOOTPservices,buttheseservicesshouldnotbeusedonexternal
interfaces.)
9.AnumberofremoteattacksuseICMPredirects,blockthem.(A
superiorbutmoredifficultapproachistopermitonlynecessaryICMP
packettypes.)
Theexamplebelowshowsonewaytoimplementtheserecommendations.
North(config)#noaccess-list107
North(config)#!blockinternaladdresses
North(config)#access-list107denyip
14.2.0.00.0.255.255anylog
North(config)#access-list107denyip
14.1.0.00.0.255.255anylog
North(config)#!blockloopback/reservedaddresses
North(config)#access-list107denyip
127.0.0.00.255.255.255anylog
North(config)#access-list107denyip
10.0.0.00.255.255.255anylog
North(config)#access-list107denyip
172.16.0.00.15.255.255anylog
North(config)#access-list107denyip
192.168.0.00.0.255.255anylog
North(config)#!blockmulticast(ifnotused)
North(config)#access-list107denyip
224.0.0.015.255.255.255any
North(config)#!blockbroadcast
North(config)#access-list107denyip
host0.0.0.0anylog
North(config)#!blockICMPredirects
North(config)#access-list107denyicmp
anyanyredirectlog
North(config)#interfaceeth0/0
North(config-if)#ipaccess-group107in
10.Blockincomingpacketsthatclaimtohavethesamedestinationand
sourceaddress(i.e.a‘Land’attackontherouteritself).Incorporate
thisprotectionintotheaccesslistusedtorestrictincomingtrafficinto
eachinterface,usingaruleliketheoneshownbelow.[Section4.3]
noaccess-list102
access-list102denyiphost10.2.6.250
host10.2.6.250log
access-list102permitipanyany
interfaceEth0/0
ipaddress10.2.6.250255.255.255.0
ipaccess-group102in
11.Configureanaccesslistforthevirtualterminallinestocontroltelnet
access.Seeexamplecommandsbelow.[Section4.1,Section4.6]
South(config)#linevty04
South(config-line)#access-class92in
South(config-line)#exit
South(config)#noaccess-list92
South(config)#access-list92permit10.1.1.1
South(config)#access-list92permit10.1.1.2
SpecificRecommendations:Logging&Debugging
1.Turnontherouter’sloggingcapability,anduseittologerrorsand
blockedpacketstoaninternal(trusted)sysloghost.Makesurethatthe
routerblockssyslogtrafficfromuntrustednetworks.Seeexample
commandsbelow.[Section4.5]
Central(config)#loggingon
Central(config)#logging14.2.9.1
Central(config)#loggingbuffered
Central(config)#loggingconsolecritical
Central(config)#loggingtrapdebugging
Central(config)#loggingfacilitylocal1
2.Configuretheroutertoincludetimeinformationinthelogging.Point
totwodifferentNTPserverstoensureavailabilityofgoodtime
information.Thiswillallowanadministratortotracenetworkattacks
moreaccurately.Seeexamplecommandsbelow.[Sections4.2,4.5]
servicetimestampslogdatetime
localtimeshow-timezone
clocktimezoneEST–5
clocksummer-timeEDTrecurring
ntpsourceEthernet0/1
ntpserver192.5.41.40
ntpserver192.5.41.41
3.IfyouareusingSNMP,thenselectandconfigurehard-to-guess
SNMPcommunitystrings.Theexamplecommandsbelowshowhow
toremovethedefaultcommunitystringsandsetabetterread-only
communitystring.[Section4.5]
East(config)#nosnmpcommunitypublic
East(config)#nosnmpcommunityprivate
East(config)#snmpcommunityBTR-l8+never
SecurityChecklist
Thissecuritychecklistisdesignedtohelpyoureviewyourroutersecurity
configuration,andremindyouofanysecurityareayoumighthavemissed.
#Routersecuritypolicywritten,approved,distributed.
#RouterIOSversioncheckedanduptodate.
#Routerconfigurationkeptoff-line,backedup,accesstoitlimited.
#Routerconfigurationiswell-documented,commented.
#Routerusersandpasswordsconfiguredandmaintained.
#Enablepassworddifficulttoguess,knowledgeofitstrictlylimited.
(ifnot,changethepasswordimmediately)
#AccessrestrictionsimposedonConsole,Aux,VTYs.
#Unneedednetworkservicesdisabled.
#Necessarynetworkservicesconfiguredcorrection(e.g.DNS)
#UnusedinterfacesandVTYsshutdownordisabled.
#Riskyinterfaceservicesdisabled.
#Portandprotocolneedsofthenetworkidentifiedandchecked.
#Accesslistslimittraffictoidentifiedportsandprotocols.
#Accesslistsblockreservedandinappropriateaddresses.
#Staticroutesconfiguredwherenecessary.
#Routingprotocolsconfiguredtouseintegritymechanisms.
#Loggingenabledandlogrecipienthostsidentifiedandconfigured.
#Router’stimeofdaysetaccurately,maintainedwithNTP.
#Loggingsettoincludetimeinformation.
#Logschecked,reviewed,archivedinaccordancewithlocalpolicy.
#SNMPdisabledorenabledwithhard-to-guesscommunitystrings.
Version1.0cUNCLASSIFIEDii
|
|
