17 Tips to Hardening Cisco Router

0

Network administrator or a network engineer, when installing a new Cisco router in a data center and connect it to a network infrastructure for an enterprise organization, it is importance to secure this network device. If a router is compromised to hackers, the whole security of the network infrastructure can be terrible in consequent.

Scenario Setup
The following picture show you how we are going to do in this tutorial. There is computer connected to Cisco router console port with console cable. The Cisco router in Data Center is connected to the network infrastructure via Ethernet connections. Two dedicated servers for Tacacs+ service for AAA protocol and Network Monitoring System using SNMP protocol are already installed and configured in place. The network administrator or a network engineer is doing the security hardening on Cisco router via console interface now and his/her computer also connected to the network infrastructure.

1. Configure Host Name
In an enterprise Data Center, there are many network devices such as switches, routers, and firewalls which configured for an network infrastructure to function. Setting up host name for those network devices is really important for a manageable network infrastructure because we can easily identify the device’s location and its purpose/function/service with their host name.
# hostname DCRT-BDR01

2. Create Local User Admin Account
A local user admin account must be created. So, whenever we access to the Cisco router whether via SSH remote management or via console interface, we need to enter a correct username and password first for we gain access to the router. It is also used when Tacacs+ server is not reachable from Cisco router.
# username netadmin privilege 15 secret 1111
# enable secret 2222
# service password-encryption
# aaa new-model
# aaa authentication login default local-case
# aaa local authentication attempts max-fail 10

3. Configure Management IP
Since the loopback interfaces are always up, it is recommended to use loop-back interfaces for SSH remote management access to the Cisco router. The physical interfaces can change state up/down and potentially not accessible.
# int lo0
ip add 20.20.20.1 255.255.255.255

4. Configure SSH Options
SSH is a remote management protocol that the network administrator or a network engineer used to again control access on Cisco router because it provides an encrypted and secure remote access management connection. Never use Telnet to gain access to any network devices because telnet connection is in plain-text and your password can be captured easily. The following are some recommend SSH options to be configured.

# ip domain-name cybernationalsecurity.com
# crypto key generate rsa modulus 2048
# ip ssh version 2
# ip ssh time-out 30
# ip ssh logging events
# ip ssh maxstartups 10
# ip ssh authentication-retries 5

5. Enable Secure Login Checking
Sometime a malicious user may want to try performing a dictionary attack on our password. It is best to enforce a temporary block login request to our Cisco router after so many failed attempts occur within a specific time frame from a specific IP address.

# login block-for 300 attempts 5 within 120
# login delay 2
# login on-failure log
# login on-success log

6. Restrict and Secure Remote Management Access
It is very important security configurations to prevent unauthorized SSH remote access management to Cisco router, access control lists, ACL, must be configured to restrict what IP addresses can remote SSH access to Cisco router. Only the IP addresses of network administrator or a network engineer team is allowed.

# ip access-list standard ACL-SSH
permit 10.10.20.0 0.0.0.255 log
deny any log
# line vty 04
transport input ssh
access-class ACL-SSH in
exec-timeout 15

7. Restrict Console Access
It is best to set the console sessions idle timeout, so the console interface will be disconnected after a specific time of inactivity.

# line con 0
exec-timeout 15
no privilege level 15

8. Enable Logging
Logging is also important for security hardening configurations on Cisco router. To correlate and audit security events Cisco router more effectively, It is recommended to send logging information to a remote syslog server.

# logging buffered 16000 informational
# logging 10.10.10.5
# logging source-interface Loopback 0
# service timestamps debug datetime msec localtime show-timezone
# service timestamps log datetime msec localtime show-timezone

9. Enable Configuration Change Notification and Logging
It is advised to enable Configuration Change Notification and Logging feature to log the configuration changes made to a Cisco router device. After the Configuration Change Notification and Logging feature has been enabled, we can use command show archive log config all to view the configuration log.

# archive
log config
logging enable
logging size 200
hidekeys
notify syslog
# sh archive log config all
idx sess user@line Logged command
1 1 console@console |access-list 199 permit icmp host 10.10.10.10 host 20.20.20.20
2 1 console@console |crypto map NiStTeSt1 10 ipsec-manual
3 1 console@console |match address 199
4 1 console@console |set peer 20.20.20.20
5 1 console@console |exit
6 1 console@console |no access-list 199
7 1 console@console |no crypto map NiStTeSt1
8 2 netadmin@console |crypto key generate rsa modulus *****
9 0 netadmin@vty0 |!exec: enable

10. Disable Log to Console or Monitor Sessions
It is always advised to send logging information to the local log buffer, which can be viewed with the show logging command rather then to send log messages to monitor and console sessions. The monitor and console sessions are interactive management sessions and it can elevate the CPU load of Cisco router.

# no logging console
# no logging monitor

11. Enable NTP Server
NTP is very important to have an accurate and uniform clock settings on Cisco router for log data to be listed with the correct time and timezone. It helps tremendously in incident handling and proper log monitoring and correlation.

# clock timezone PHN 7
# ntp server 192.168.0.18

12. Restrict and Secure SNMP Access
It is recommend to use a standard SNMP community strings on every network device with a combination of uppercase characters, lowercase characters, numbers, and special characters. Default strings, such as public or private must be removed. SNMP must be configured with access rights RO (read only) and applicable ACL. Only SNMP version 2.0 and 3 is allowed.

The following is the SNMP version 2 configuration.

# ip access-list standard ACL-SNMP
permit 10.10.10.6
deny any log
# snmp-server community T@s9aMon RO ACL-SNMP
# snmp-server location DC
# snmp-server contact netadmin@techspacekh.com

The following is the SNMP version 3 configuration.

# ip access-list standard ACL-SNMP
permit 10.10.10.6
deny any log
# snmp-server group SYSMON v3 priv access ACL-SNMP
# snmp-server user nms-v3 SYSMON v3 auth md5 33331111 priv 3des 44442222
# snmp-server location DC
# snmp-server contact netadmin@techspacekh.co

To verify, we can use the following snmpwalk command from network monitoring server.
# snmpwalk -v2c -c A@B9aMon 10.10.10.1
# snmpwalk -v3 -u nms-v3 -A 33331111 -l auth -a MD5 -x DES -X 44442222 10.100.1.36

13. Disable Unused Services
For security hardening best practice, it is recommended to disabled any unnecessary service because they are frequently used for legitimate purposes but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.

# no ip http server
# no ip http secure-server
# no service dhcp
# no cpd run
# no lldp run global
# no ip bootp server
# no ip domain-lookup
# no ip source-route

14. Enable Login Banner
Following the publication of the “Computer Misuse Act 1990“, it is strongly recommended that computers should display a banner message before allowing users to log in. The Act stipulates that an offense of unauthorized access can only be committed if the offender knew at the time that the access he intended to obtain was unauthorized. Base on the “Regulation of Investigatory Powers Act 2000” also requires information to be given to users who access the computer. Login banners are the best way to achieve this.
# banner login #
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED! You must have explicit permission to access or configure this system.
All activities performed on this system may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement.
Use of this system shall constitute consent to monitoring.
#
# banner motd #
AUTHORIZED ACCESS ONLY! If you are not an authorized user, disconnect IMMEDIATELY! All connections are monitored and recorded.
#

15. Enable Keepalives TCP Sessions
Keepalives for TCP Sessions configuration must be enabled for TCP keepalives on inbound connections to the device and outbound connections from the device. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local Cisco router device.

# service tcp-keepalives-in
# service tcp-keepalives-out

16. Enable Memory and CPU Threshold Notifications
It is advised to enable Memory and CPU Threshold Notification to generates a log message in order to indicate that free memory on a device has fallen lower than the configured threshold.

# memory free low-watermark processor 204800
# memory free low-watermark io 204800
# memory reserve critical 20480
# process cpu threshold type total rising 80 interval 60 falling 70 interval 60
# process cpu statistics limit entry-percentage 80 size 60
# memory reserve console 4096
# exception memory ignore overflow io
# exception memory ignore overflow processor
# exception crashinfo maximum files 32

17. Enable Secure Copy and IOS Software Resilient
Cisco router also relies on SSH to supports the Secure Copy Protocol (SCP), which allows an encrypted and secure connection in order to copy device configurations or software images.
It is a security best practice to securely store a copy of the Cisco router software image and device configuration that is currently used by a Cisco router device.

# ip scp server enable
# copy scp://usernam@10.10.10.20/home/cybernationalsecurity/file.txt flash:
# configuration mode exclusive auto
# secure boot-image
# secure boot-config

Don’t forget to share this article!

 

LEAVE A REPLY

Please enter your comment!
Please enter your name here