Some more links ...

http://www.cisco.com/warp/public/707/21.html

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/iofwft/tech/firew_wp.htm

The best free document I know is written by the NSA.

Look in: http://nsa1.www.conxion.com/ for router guides (and others). For a specific view on disabling unneeded features and services look in:

http://www.sans.org/infosecFAQ/netdevices/disabling.htm

I would like to bring part of my conclusions in this document to the attention of the router developers:

I am however aware that also in my list of configuration commands to consider, some errors may be present. The way Cisco reveals a router configuration to its administrators is just too unclear and I do not have, as most other people, the time and the resources to learn everything about it. The only people probably that have enough knowledge to guarantee the correctness of such a list are the IOS developers at Cisco.

My second suggestion is to Cisco to drastically re-engineer IOS in such a way that a configuration file gives a clear view on the detailed behaviour that can be expected from the router.

Probably, it will take several more IOS releases, to reach such a situation. My suggestion on the short term to the Cisco IOS developers is to publish a list of default active services and features and the correct configuration command to disable (and re-enable) them. Ideally this list should be available for all IOS releases (and sub-releases if relevant) but starting with the most recent releases is probably best. These lists should be published at the Cisco web site. Every author, every course leader and every consultant will still have his/her own vision on the best way to secure Cisco routers but at least they will be able to share the real facts on how a Cisco router works.

Toon Mordijck

toon.mordijck@pwc.be

1) Add an access-class list to line vty 0 4 to ONLY allow for internal users to telnet to the router.

2) add command "no ip source-route" in global

3) add "no ip finger"

4) add the following to Internet interface:

ip verify unicast reverse-path

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!!!Cisco Box hardening script

!!!We used this file to harden our boxes. Just copy the entire

!!!thing into Hyperterminal/Minicom etc. and the commands should

!!!execute themselves, exit out, and save the thing to the running

!!!config. You will need to edit it, however, since adding passwords

!!!and acls is not only bad security policy but reduces the portability.

!!!Special note: this is for routers only, Catalysts are a different beast.

conf t

!

hostname RouterX

enable secret p

!!!obvious ones first. Some are off by default on newer IOSs, but

!!!we like to turn them off manually in case.

no ip bootp server

no ip source-route

no ip icmp redirect

no cdp run

no ip http server

no service dhcp

no service pad

no service finger

!

!!!Lower TCP timeout for sessions destined for the router itself, default is 30 seconds.

!!!IMPORTANT-this does not protect hosts behind (or in front of) the router.

ip tcp synwait-time 15

!

!

!!!Stamps NTP time on all logs to the millisecond

service timestamps log datetime msec

!

!!!The following two commands are necessary on some older IOSs for normal functionality.

!!!They are on by default in 12.x, but if they are off for some reason, troubleshooting

!!!why your infrastructure doesn't work can be a nightmare.

ip subnet-zero

ip classless

!

!!!The following link explains the next two commands. Only one will apply

!!!to any given router, which one depends on our IOS. Inserting both should

!!!cause a harmless error message on one, but will otherwise work fine.

!!!http://www.cisco.com/warp/public/707/21.html#sched

scheduler interval 500

scheduler allocate 30000 2000

!

!!!The following global command only allows one icmp unreachable message to be

!!!sent from the router every 100 milliseconds. We can't inadvertantly DOS anyone.

ip icmp rate-limit unreachable 100

!

!!!The following hyperlink explains what the next two commands shut down. Mostly

!!!legacy stuff.

!!!http://www.cisco.com/warp/public/66/23.html

no service tcp-small-servers

no service udp-small-servers

!

!!!Logging to remote station. Edit the IP addresses. Ciscos can log to multiple stations

logging 1.1.1.1

logging 2.2.2.2

!!!uses weak cisco-proprietary algorithm to encrypt all passwds on system so a "show run"

!!!doesn't display them in clear-text. This is trivial to crack but better than nothing.

service password-encryption

!

!!!only necessary when config is gigantic, not for security so I commented it out for now

!service compress

!

!

!!!These next two commands show the banner immediately upon connection to

!!!the defined vty ports. So telneting shows you the banner before the login prompt.

line vty 0 4

motd-banner

exit

!!!The next two commands do the same as the previous, but for the auxiliary port.

line aux 0

motd-banner

exit

!!!sets console password. by default ciscos don't have one.

!!!Also changes default timeout of console port's priveleged executive (root)

!!!session. Default is 10 minutes of inactivity.

line con 0

login

password p

exec-timeout 5 !in minutes

exit

!

!!!"Transport" lines disallow any remote admin protocol besides telnet.

!!!Sets escape-character to [control+w] when connected via vty ports.

!!!This is not for security; it allows one to cancel a traceroute

!!!or other function that would otherwise not die for a long time.

!!!Default escape-character is [control+shift+6, x], but when telnetting

!!!in that merely boots you out and the traceroute continues. Pretty annoying.

!!!Also lowers the executive timeout for the vty port from 10

!!!minutes of inactivity to 5. Finally applies inbound acl 23 to

!!!vty ports 0 through 4. Acl 23 is defined as normal in global config.

line vty 0 4

login

password p

transport input none

transport input telnet

escape-character 23 ![control+w] instead of [control+shift+6, x]

exec-timeout 5 !in minutes

access-class 23 in !restrict telnet access via source IP

exit

!

!!!This setting makes sure the configuration file boots with the flash

config-register 0x2102

!

!!!This is the banner I took from X, so I'm assuming it's the prefered/standard one.

!!!If we have to take legal action against an attacker, we must prove that he absolutely

!!!could not have gotten into any box without seeing this.

!!!This command puts it on the console

banner motd X

This system is restricted solely to authorized users for legitimate

purposes only. yaddayaddayadda

X

!

!

!

exit

write mem

!!!The following adds SNMP read-only ability (community "look") to everyone matching

!!!standard acl 61. I don't support writing from SNMP; you shouldn't even define a write

!!!string. In fact, your network IDS (you have a NIDS right?)

!!!should send alerts when someone tries that.

!snmp-server community look ro 61

!snmp enable traps

!snmp-server host 192.168.1.10 traps look !example IP address

!!!Interface commands are a little trickier to script since Cisco boxes come

!!!in different chassises with different syntaxes. I'll work on an Expect script for the

!!!future. For now I'll just list interface commands that have to be applied. Sorry.

!no ip directed-broadcasts

!no ip unreachables

!!!Other thingies yet to be added

!privelege levels

!!!You can play with TCP intercept, but that assumes symetrical routing.

!!!I think it's feasible from the DMZ boxes (they're the ones getting creamed anyhoo)

!AAA features like Radius