1. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 1 Implementing Secure Converged Wide Area Networks (ISCW)

2. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 2 Lesson 4 – Module 5 – ‘Cisco Device Hardening’ Disabling Unused Cisco Router Network Services and Interfaces

3. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 3 Module Introduction  The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.  Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.  Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

4. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 4 Vulnerable Router Services and Interfaces  Medium size and large networks typically use a firewall appliance behind the perimeter router, which adds security features and performs user authentication and more advanced packet filtering  Firewall installations also facilitate the creation of Demilitarized Zones (DMZs), where the firewall ‘places’ hosts that are commonly accessed from the Internet  Cisco IOS software offers an alternative to a firewall appliance by incorporating many firewall features in the perimeter router. Although this option does not provide the same performance and security features that a Cisco PIX Security Appliance offers, a router with an integrated firewall feature set can solve most small- to-medium business perimeter security requirements.  Cisco IOS routers run many services that create potential vulnerabilities. To secure an enterprise network, all unneeded router services and interfaces must be disabled.

5. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 5 Vulnerable Router Services and Interfaces  Cisco IOS routers can be used as: Edge devices Firewalls Internal routers Routers have default services that create potential vulnerabilities (for example, BOOTP, CDP, FTP, TFTP, NTP, Finger, SNMP, TCP/UDP minor services, IP source routing, and proxy ARP Vulnerabilities can be exploited regardless of where the routers are placed.

6. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 6 Vulnerable Router Services Disable unnecessary services and interfaces (BOOTP, CDP, FTP, TFTP, NTP, PAD, and TCP/UDP minor services) Disable commonly configured management services (SNMP, HTTP, and DNS) Ensure path integrity (ICMP redirects and IP source routing) Disable probes and scans (finger, ICMP unreachables, and ICMP mask replies) Ensure terminal access security (ident and TCP keepalives) Disable gratuitous and proxy ARP Disable IP directed broadcast

7. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 7 Unnecessary Services and Interfaces Router ServiceDefaultBest Practice BOOTP server EnabledDisable Cisco Discovery Protocol (CDP) EnabledDisable if not required Configuration auto-loading DisabledDisable if not required FTP server Disabled Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. TFTP server Disabled Disable if not required. Otherwise encrypt traffic within an IPsec tunnel. Network Time Protocol (NTP) service Disabled Disable if not required. Otherwise configure NTPv3 and control access between permitted devices using ACLs. Packet assembler and disassembler (PAD) service EnabledDisable if not required TCP and UDP minor services Enabled (pre 11.3) Disabled (11.3+) Disable if not required Maintenance Operation Protocol (MOP) service EnabledDisable explicitly if not required

8. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 8 Commonly Configured Management Services Management Service Enabled by Default Best Practice Simple Network Management Protocol (SNMP) Enabled Disable the service. Otherwise configure SNMPv3. HTTP configuration and monitoring Device dependent Disable if not required. Otherwise restrict access using ACLs. Domain Name System (DNS) Client Service – Enabled Disable if not required. Otherwise explicitly configure the DNS server address.

9. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 9 Path Integrity Mechanisms Path Integrity Mechanism Enabled by Default Best Practice ICMP redirects EnabledDisable the service IP source routing EnabledDisable if not required.

10. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 10 Probe and Scan Features Probe and Scan Feature Enabled by Default Best Practice Finger service EnabledDisable if not required. ICMP unreachable notifications Enabled Disable explicitly on untrusted interfaces. ICMP mask reply Disabled Disable explicitly on untrusted interfaces.

11. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 11 Terminal Access Security Enabled by Default Best Practice IP identification service EnabledDisable TCP Keepalives DisabledEnable

12. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 12 ARP Service Enabled by Default Best Practice Gratuitous ARP EnabledDisable if not required. Proxy ARP EnabledDisable if not required.

13. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 13 Router Hardening Considerations Attackers can exploit unused router services and interfaces. Administrators do not need to know how to exploit the services, but they should know how to disable them. It is tedious to disable the services individually. An automated method is needed to speed up the hardening process.

14. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 14 Locking Down Routers with AutoSecure  The AutoSecure feature was released in Cisco IOS Release 12.3 and later  AutoSecure is a single privileged EXEC program that allows elimination of many potential security threats quickly and easily. AutoSecure helps to make you more efficient at securing Cisco routers  AutoSecure allows two modes of operation: 1.Interactive mode: Prompts to choose the way you want to configure router services and other security-related features 2.Noninteractive mode: Configures security-related features on your router based on a set of Cisco defaults

15. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 15 AutoSecure Functions  AutoSecure can selectively lock down: Management plane services and functions: Finger, PAD, UDP and TCP small servers, password encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing, gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies), directed broadcast, MOP, banner Also provides password security and SSH access Forwarding plane services and functions: CEF, traffic filtering with ACLs Firewall services and functions: Cisco IOS Firewall inspection for common protocols Login functions: Password security NTP protocol SSH access TCP Intercept services

16. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 16 AutoSecure Failure Rollback Feature  If AutoSecure fails to complete its operation, the running configuration may be corrupt: In Cisco IOS Release 12.3(8)T and later releases: Pre-AutoSecure configuration snapshot is stored in the flash under filename pre_autosec.cfg Rollback reverts the router to the router’s pre-autosecure configuration Command: configure replace flash:pre_autosec.cfg If the router is using software prior to Cisco IOS Release 12.3(8)T, the running configuration should be saved before running AutoSecure.

17. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 17 AutoSecure Process Overview auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept] router# Cisco AutoSecure Interactive Steps: Step 1 —Identify outside interfaces. Step 2 —Secure the management plane. Step 3 —Create security banner. Step 4 —Configure passwords, AAA, and SSH. Step 5 —Secure the interface settings. Step 6 —Secure the forwarding plane.

18. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 18 Auto Secure Parameters ParameterDescription management (Optional) Only the management plane will be secured. forwarding (Optional) Only the forwarding plane will be secured. no-interact (Optional) The user will not be prompted for any interactive configurations. No interactive dialogue parameters will be configured, including usernames or passwords. full (Optional) The user will be prompted for all interactive questions. This is the default setting. ntp (Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command-line interface (CLI). login (Optional) Specifies the configuration of the Login feature in the AutoSecure CLI. ssh (Optional) Specifies the configuration of the SSH feature in the AutoSecure CLI. firewall (Optional) Specifies the configuration of the Firewall feature in the AutoSecure CLI. tcp-intercept (Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.

19. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 19 Router#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks *** All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: y Enter the number of interfaces facing internet [1]: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/0 10.0.2.2 YES NVRAM up up Ethernet0/1 172.30.2.2 YES NVRAM up up Enter the interface name that is facing internet: Ethernet0/1 Step 1: Identify Outside Interfaces

20. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 20 Step 2: Secure Management Plane Services Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp

21. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 21 Step 3: Create Security Banner Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorised Access only This system is the property of Woolloomooloo Pty Ltd. UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged and violations of of this policy result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: %This system is the property of Cisco Systems, Inc. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.%

22. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 22 Step 4: Passwords and AAA Enable secret is either not configured or is same as enable password Enter the new enable secret: Curium96 Configuration of local user database Enter the username: student1 Enter the password: student1 Configuring aaa local authentication Configuring console, Aux and vty lines for local authentication, exec-timeout, transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 300 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 60

23. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 23 Step 5: SSH and Interface-Specific Services Configure SSH server? [yes]: y Enter the hostname: R2 Enter the domain-name: cisco.com Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces

24. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 24 Step 6: Forwarding Plane Verification and Deployment Securing Forwarding plane services.. Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption. Apply this configuration to running-config? [yes]: y

25. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 25 Auto Secure Configuration Example (1 of 6) no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner #This system is the property of Cisco Systems, Inc. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.# security passwords min-length 6 security authentication failure rate 10 log Set minimum password length. Create banner. Disable global services. Set the login failure rate.

26. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 26 Auto Secure Configuration Example (2 of 6) enable secret 5 $1$6NpI$ClSvtL5Zs63fPpsQT5Dyq/ enable password 7 09674F04100916 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet login block-for 5 attempts 3 within 4 Enable local AAA. Enable secret password. Configure local authentication on console, auxiliary and VTY lines for telnet. Block too many login attempts.

27. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 27 Auto Secure Configuration Example (3 of 6) hostname LosAngeles ip domain-name cisco.com crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered Configure hostname and domain name. Configure logging parameters.

28. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 28 Auto Secure Configuration Example (4 of 6) interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled Disable FE interface 0/0 services. Disable serial port services. Disable FE interface 0/1 services.

29. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 29 Auto Secure Configuration Example (5 of 6) ip cef interface Serial0/0 ip access-group autosec_complete_bogon in exit access-list 100 permit udp any any eq bootpc interface Serial0/0 ip verify unicast source reachable-via rx allow-default 100 ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ! end Enable CEF. Apply ACL to inside interface. Turn on the CBAC firewall with common settings.

30. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 30 Auto Secure Configuration Example (6 of 6) ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface Serial0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in Apply CBAC inspect list to outside interface. Apply ACL to outside interface.

31. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 31 Locking Down Routers with Cisco SDM  SDM simplifies router and security configuration through smart wizards that help to quickly and easily deploy, configure, and monitor a Cisco router without requiring knowledge of the CLI  SDM simplifies firewall and IOS software configuration without requiring expertise about security or IOS software  SDM contains a Security Audit wizard that performs a comprehensive router security audit  SDM uses security configurations recommended by Cisco Technical Assistance Center (TAC) and the International Computer Security Association (ICSA) as the basis for comparisons and default settings  The Security Audit wizard assesses the vulnerability of the existing router and provides quick compliance to best-practice security policies  SDM can implement almost all of the configurations that AutoSecure offers with the One-Step Lockdown feature

32. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 32 Security Device Manager (SDM) SDM automated hardening features: Security Audit One-Step Lockdown

33. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 33 SDM Security Audit Overview  Security Audit compares router configuration against recommended settings  Examples of the audit include : Shut down unneeded servers Disable unneeded services Apply the firewall to the outside interfaces Disable or harden SNMP Shut down unused interfaces Check password strength Enforce the use of ACLs

34. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 34 SDM Security Audit: Main Window 1. 2. 3.

35. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 35 SDM Security Audit Wizard

36. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 36 SDM Security Audit Interface Configuration

37. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 37 SDM Security Audit

38. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 38 SDM Security Audit: Fix the Security Problems

39. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 39 SDM Security Audit: Summary

40. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 40 SDM One-Step Lockdown: Main Window 1. 2. 3.

41. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 41 SDM One-Step Lockdown Wizard

42. © 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L4 42