Network security is a completely changing area; new devices like IDS (Intrusion
\nDetection systems), IPS (Intrusion Prevention systems), and Honeypots are modifying the
\nway people think about security. Companies are spending thousand of dollars on new
\nsecurity devices, but forgetting the basic, the first line of defense: the border router.<\/p>\n
Although a lot of people may think that routers don\u2019t need to be protect, they are
\ncompletely wrong. A lot of secure problems appear all time against this kind of device
\nand most of them are vulnerable.<\/p>\n
In this article I will give you 8 steps, easy to follow, to minimize your Cisco router
\nexposure by turning off some unused services, applying some access control and
\napplying some security options available on that.<\/p>\n
1- Control Access to your router; 1- Control Access to your router<\/strong><\/p>\n The first thing to do is apply some rules to restrict all external access to some ports of the access-list 110 deny tcp any host $yourRouterIP eq 7 Where $yourRouterIP is your router IP and x0\/0 is your external interface. We 2- Restrict telnet access to it<\/strong><\/p>\n Telnet is not a very safe protocol to use, but if you really need to use it (you should access-list 50 permit 192.168.1.1 Where 192.168.1.1 is the IP address allowed to telnet the router<\/p>\n 3- Block Spoof\/Malicious packets<\/strong><\/p>\n You must never allow loopback\/reserved IP address from the Internet reach your external access-list 111 deny ip 127.0.0.0 0.255.255.255 any 4- Restrict SNMP<\/strong> access-list 112 deny udp any any eq snmp And if you are not going to use SNMP at all, disable it:<\/p>\n no snmp-server<\/p>\n 5- Encrypt all passwords<\/strong><\/p>\n A very important thing to do is protect all your passwords using the powerful algorithm enable secret $yourpassword<\/p>\n All other passwords, you can encrypt using the Vigenere cipher that is not service password-encryption<\/p>\n 6- Disable all unused services<\/strong><\/p>\n 6.1 – Disable Echo, Chargen and discard<\/strong><\/p>\n no service tcp-small-servers 6.2 – Disable finger<\/strong><\/p>\n no service finger<\/p>\n 6.3 – Disable the httpd interface<\/strong> 6.4 – Disable ntp (if you are not using it)<\/strong><\/p>\n ntp disable<\/p>\n 7- Add some security options<\/strong><\/p>\n 7.1 – Disable source routing<\/strong><\/p>\n no ip source-route<\/p>\n 7.2 – Disable Proxy Arp<\/strong><\/p>\n no ip proxy-arp<\/p>\n 7.3 – Disable ICMP redirects<\/strong><\/p>\n interface s0\/0 (your external interface) 7.4 – Disable Multicast route Caching<\/strong><\/p>\n interface s0\/0 (your external interface) 6.5 – Disable CDP<\/strong><\/p>\n no cdp run<\/p>\n 6.6 – Disable direct broadcast (protect against Smurf attacks)<\/strong><\/p>\n no ip directed-broadcast<\/p>\n 8- Log everything<\/strong><\/p>\n To finish, you must log everything on an outside Log Server. You must everything from logging trap debugging Conclusion<\/strong><\/p>\n With these simple steps you can add a lot of security to your router, protecting it against a Only as an example, you can see the nmap result before and after applying these options:<\/p>\n Before:<\/p>\n bash-2.05b# nmap -O 192.168.1.1<\/p>\n
\n2- Restrict telnet access to it;
\n3- Block Spoof\/Malicious packets;
\n4- Restrict SNMP;
\n5- Encrypt all passwords;
\n6- Disable all unused services;
\n7- Add some security options;
\n8- Log everything;<\/strong><\/p>\n
\nrouter. You can block all ports, but it is not always necessary. These commands bellow
\nwill protect your router against some reconnaissance attacks and, obviously, will restrict
\naccess to these ports:<\/p>\n
\naccess-list 110 deny tcp any host $yourRouterIP eq 9
\naccess-list 110 deny tcp any host $yourRouterIP eq 13 access-list 110 deny tcp any host $yourRouterIP eq 19
\naccess-list 110 deny tcp any host $yourRouterIP eq 23
\naccess-list 110 deny tcp any host $yourRouterIP eq 79
\nint x0\/0
\naccess-group in 110<\/p>\n
\nWill always use this convention in this article.<\/p>\n
\nalways use ssh) you might want to restrict all access to it (remember that all your traffic
\nwill be unencrypted). The best way to accomplish that is using a standard access-list and
\nthe access-class command.<\/p>\n
\naccess-list 50 deny any log
\nline vty 0 4
\naccess-class 50 in
\nexec-timeout 5 0<\/p>\n
\ninterface and you can reject broadcast and multicast addresses too.<\/p>\n
\naccess-list 111 deny ip 192.168.0.0 0.0.0.255 any
\naccess-list 111 deny ip 172.16.0.0 0.0.255.255 any
\naccess-list 111 deny ip 10.0.0.0 0.255.255.255 any
\naccess-list 111 deny ip host 0.0.0.0 any
\naccess-list 111 deny ip 224.0.0.0 31.255.255.255 any
\naccess-list 111 deny icmp any any redirect
\nint x0\/0
\naccess-group in 111<\/p>\n
\nSNMP must always be restrict, unless you want some malicious person getting a lot of
\ninformation from your network ?<\/p>\n
\naccess-list 112 permit ip any any
\ninterface x0\/0
\naccess-group 112 in<\/p>\n
\nas possible.
\nThe password from exec mode, that grants privileged access to the IOS system,
\nCan be set using a MD5 hash, which is the strongest option available on the
\nCisco IOS.<\/p>\n
\nVery strong, but can help. To do that, you can use the service password-encryption
\nCommand that encrypts all passwords present in you system.<\/p>\n
\nno service udp-small-servers<\/p>\n
\nno ip http server<\/p>\n
\nno ip redirects<\/p>\n
\nno ip mroute-cache<\/p>\n
\nall your systems and always analyze the logs.<\/p>\n
\nlogging 192.168.1.10
\nwhere 192.168.1.10 is the ip of your log server (configured as a Syslog server)<\/p>\n
\nlot of possible attacks, increasing your network security.<\/p>\n