router hardening l.
Skip this Video
Download Presentation
Router Hardening

Loading in 2 Seconds...

play fullscreen
1 / 52

Router Hardening - PowerPoint PPT Presentation

  • Uploaded on

Router Hardening. Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004. Introduction. Types of Routers Unnecessary Services Password Management Interactive Access IP Routing. Introduction. Warning Banners SNMP Security Logging Requirements General Requirements

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Router Hardening' - london

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
router hardening

Router Hardening

Nancy Grover, CISSP

ISC2/ISSA Security Conference

November 2004

  • Types of Routers
  • Unnecessary Services
  • Password Management
  • Interactive Access
  • IP Routing
  • Warning Banners
  • SNMP Security
  • Logging Requirements
  • General Requirements
  • Router Threat Management
types of routers
Types of Routers
  • Boundary or edge routers
  • Interior routers
  • Backbone routers
  • Aggregate routers or hub routers
types of routers5
Types of Routers
  • Interior routers provide connectivity within a routing domain.
types of routers6
Types of Routers
  • Backbone routers provide connectivity between routing domains.
types of routers7
Types of Routers
  • Aggregate routers and hub routers are used to combine a large number of connections into a fewer number of high bandwidth connections.
types of routers8
Types of Routers
  • A boundary or edge router refers to a router that sits between one or more networks that are of different security domains.
  • These routers require a higher level of security.
unnecessary services
Unnecessary Services
  • TCP & UDP Small Servers need to be disabled on the router.
unnecessary services10
Unnecessary Services
  • These services can be disabled with the commands:

no service tcp-small-servers

no service udp-small-servers

  • Note: Small services are disabled by default in Cisco IOS 12.0 and later software.
unnecessary services11
Unnecessary Services
  • Boundary/edge routers should have Cisco Discovery Protocol (CDP) disabled.
unnecessary services12
Unnecessary Services
  • The CDP protocol can be disabled with the global configuration command:

no cdp running

  • CDP can be disabled on a particular interface with:

no cdp enable

unnecessary services13
Unnecessary Services
  • HTTP access should disabled on the router, especially on a boundary/edge router.
unnecessary services14
Unnecessary Services
  • Finger should be disabled on the router.
  • The finger service can be disabled with the command:

no service finger

unnecessary services15
Unnecessary Services
  • The RSH and RCP services must be restricted by IP address.
  • If the services are not needed, they must be disabled.
unnecessary services16
Unnecessary Services
  • These services can be disabled with thecommands:

no ip rcmd rcp-enable

no ip rcmd rsh-enable

  • Note: These commands are disabled by default in Cisco IOS 12.0 and later.
password management
Password Management
  • The service password encryption command should be enabled to provide minimum protection for configured passwords.
password management18
Password Management
  • As a global default, use the command:

service password encryption

  • Note: Thiscommand directs the IOS software to encrypt passwords, CHAP secrets, and similar data saved in its configuration file.
password management19
Password Management
  • The enable secret command is used to set the password granting privileged administrative access to the IOS system.
password management20
Password Management
  • All system installation, maintenance, and default passwords supplied by vendors must be changed.
  • Passwords should follow the password complexity guidelines outlined in your company’s security policies.
interactive access
Interactive Access
  • tty console and auxiliary access should be controlled with both a user ID and password stored in a local file on the router.
  • Note: All tty access should use either TACACS+ or a RADIUS server for authentication.
interactive access22
Interactive Access
  • Reverse telnet sessions to console and auxiliary tty lines should be disabled.
  • Disable reverse telnet sessions on tty lines by using the command:

transport input none

interactive access23
Interactive Access
  • vty access to the router should be controlled by both a user ID and password when logging into the router.
  • Note: All vty access should use either a TACACS+ or a RADIUS server for authentication.
interactive access24
Interactive Access
  • vty lines should be configured to accept connections only from those protocols actually needed.
interactive access25
Interactive Access
  • Usethe transport input command to restrict the protocols accepted by the vty lines.
interactive access26
Interactive Access
  • Access to at least one vty line should be restricted to an IP or IP range to protect against Denial of Service Attacks.
  • The ip access-class command can be used to restrict the IP addresses.
interactive access27
Interactive Access
  • Timeouts should be configured on all vty lines, based on your company’s timeout policy.
  • Use the exec-timeout command to configure timeouts on vty lines.
ip routing
IP Routing
  • Routers should have IP source routing disabled.
  • Disable IP source routing as a global default with the no ip source-routecommand.
ip routing29
IP Routing
  • All directed broadcasts should be disabled on all router interfaces.
ip routing30
IP Routing
  • Use the no ip directed-broadcast command to prevent directed broadcasts that could “explode” into link-layer broadcasts.
  • Note: directed broadcasts are disabled by default in Cisco IOS 12.0 and later.
ip routing31
IP Routing
  • Boundary/edge routers, in particular, should filter ICMP redirects.
  • Use access lists to block ICMP redirects.
  • Note: All boundary routers should block ICMP redirects to prevent Denial of Service attacks.
ip routing32
IP Routing
  • If the router is Internet facing or a boundary/edge router, apply anti-spoofing access lists on all inbound Internet/external facing interfaces.
ip routing33
IP Routing
  • Note: Anti-spoofing access lists should block:
    • Publicly owned internal address space
    • All RFC1918 private addresses
    • IP addresses with a source address of a router interface
    • (loopback)
warning banner
Warning Banner
  • Is the company’s warning banner displayed to anyone logging into the router?
  • Note: Use the banner login command to configure the warning banner.
snmp security
SNMP Security
  • SNMP community strings should adhere to your company’s password complexity guidelines.
snmp security36
SNMP Security
  • The read only community string should be different than the read/write community string.
  • Note: If possible, periodic polling should be done on the read only community string.
snmp security37
SNMP Security
  • The read/write community string should be reserved for write operations ONLY, while the read only community strings should be reserved for read access.
snmp security38
SNMP Security
  • Access lists should be employed to restrict SNMP to the IP addresses of management stations only.
logging requirements
Logging Requirements
  • System logging should be enabled and the information saved to both a local buffer and a syslog server.
logging requirements40
Logging Requirements
  • If using TACACS+ and/or RADIUS protocols, AAA logging should be enabled and saved to the RADIUS or TACACS+ Server.
logging requirements41
Logging Requirements
  • If router is using a real-time clock or is running NTP, all log entries should be time-stamped.
logging requirements42
Logging Requirements
  • To show time-stamps, use the command:

service timestamps log datetime localtime show-timezone

logging requirements43
Logging Requirements
  • All logging information should be retained for a minimum of 90 days, or for the time specified in your company’s policy.
logging requirements44
Logging Requirements
  • System logs must be protected from unauthorized access, and frequently reviewed for unusual or suspicious events.
general requirements
General Requirements
  • Establish a procedure to load appropriate IOS security patches, keeping the IOS level current.
general requirements46
General Requirements
  • Physical access to the router and its components must be strictly controlled.
general requirements47
General Requirements
  • Back-up and contingency processes for each router need to be documented and in place.
general requirements48
General Requirements
  • There should be a method to receive and distribute vendor and other security advisories to the appropriate people in your company
router threat management
Router Threat Management
  • Threat Warning – Inform technology SME’s of a newly identified threat.
  • Threat Plan – Provide specific remediation information to SMEs.
  • Alert – Send urgent threat information and remediation plans to all System Administrators.
router threat management50
Router Threat Management
  • Critical T-0: Immediate risk. Patching must begin immediately.
  • Critical T-7: Testing and installation of patches is expected on all impacted systems within 7 days.
  • Important T-30: Patches expected to be tested and installed within 30 days.
  • Informational: General awareness threat issue.
router threat management51
Router Threat Management
  • Other methods to protect routers from outside attacks.
the end
The End