09-26-2001 02:39 AM - edited 03-08-2019 08:46 PM
I'm looking for info , tips, configuration examples, docs on how to securely configure a cisco IOS perimeter router with and/or without firewall feature set.
Any help is greatly appreciateed
10-01-2001 02:45 PM
Heres a few urls to try: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/
http://www.cisco.com/warp/public/793/ios_fw/cbac2.html
http://www.cisco.com/warp/public/793/ios_fw/cbac2.html
and search Cisco.com using cbac configuration for more.
10-17-2001 06:06 PM
11-09-2001 06:53 AM
The best free document I know is written by the NSA.
Look in: http://nsa1.www.conxion.com/ for router guides (and others). For a specific view on disabling unneeded features and services look in:
http://www.sans.org/infosecFAQ/netdevices/disabling.htm
I would like to bring part of my conclusions in this document to the attention of the router developers:
I am however aware that also in my list of configuration commands to consider, some errors may be present. The way Cisco reveals a router configuration to its administrators is just too unclear and I do not have, as most other people, the time and the resources to learn everything about it. The only people probably that have enough knowledge to guarantee the correctness of such a list are the IOS developers at Cisco.
My second suggestion is to Cisco to drastically re-engineer IOS in such a way that a configuration file gives a clear view on the detailed behaviour that can be expected from the router.
Probably, it will take several more IOS releases, to reach such a situation. My suggestion on the short term to the Cisco IOS developers is to publish a list of default active services and features and the correct configuration command to disable (and re-enable) them. Ideally this list should be available for all IOS releases (and sub-releases if relevant) but starting with the most recent releases is probably best. These lists should be published at the Cisco web site. Every author, every course leader and every consultant will still have his/her own vision on the best way to secure Cisco routers but at least they will be able to share the real facts on how a Cisco router works.
Toon Mordijck
11-18-2001 08:10 PM
1) Add an access-class list to line vty 0 4 to ONLY allow for internal users to telnet to the router.
2) add command "no ip source-route" in global
3) add "no ip finger"
4) add the following to Internet interface:
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no cdp enable
12-06-2001 12:49 PM
!!!Cisco Box hardening script
!!!We used this file to harden our boxes. Just copy the entire
!!!thing into Hyperterminal/Minicom etc. and the commands should
!!!execute themselves, exit out, and save the thing to the running
!!!config. You will need to edit it, however, since adding passwords
!!!and acls is not only bad security policy but reduces the portability.
!!!Special note: this is for routers only, Catalysts are a different beast.
conf t
!
hostname RouterX
enable secret p
!!!obvious ones first. Some are off by default on newer IOSs, but
!!!we like to turn them off manually in case.
no ip bootp server
no ip source-route
no ip icmp redirect
no cdp run
no ip http server
no service dhcp
no service pad
no service finger
!
!!!Lower TCP timeout for sessions destined for the router itself, default is 30 seconds.
!!!IMPORTANT-this does not protect hosts behind (or in front of) the router.
ip tcp synwait-time 15
!
!
!!!Stamps NTP time on all logs to the millisecond
service timestamps log datetime msec
!
!!!The following two commands are necessary on some older IOSs for normal functionality.
!!!They are on by default in 12.x, but if they are off for some reason, troubleshooting
!!!why your infrastructure doesn't work can be a nightmare.
ip subnet-zero
ip classless
!
!!!The following link explains the next two commands. Only one will apply
!!!to any given router, which one depends on our IOS. Inserting both should
!!!cause a harmless error message on one, but will otherwise work fine.
!!!http://www.cisco.com/warp/public/707/21.html#sched
scheduler interval 500
scheduler allocate 30000 2000
!
!!!The following global command only allows one icmp unreachable message to be
!!!sent from the router every 100 milliseconds. We can't inadvertantly DOS anyone.
ip icmp rate-limit unreachable 100
!
!!!The following hyperlink explains what the next two commands shut down. Mostly
!!!legacy stuff.
!!!http://www.cisco.com/warp/public/66/23.html
no service tcp-small-servers
no service udp-small-servers
!
!!!Logging to remote station. Edit the IP addresses. Ciscos can log to multiple stations
logging 1.1.1.1
logging 2.2.2.2
!!!uses weak cisco-proprietary algorithm to encrypt all passwds on system so a "show run"
!!!doesn't display them in clear-text. This is trivial to crack but better than nothing.
service password-encryption
!
!!!only necessary when config is gigantic, not for security so I commented it out for now
!service compress
!
!
!!!These next two commands show the banner immediately upon connection to
!!!the defined vty ports. So telneting shows you the banner before the login prompt.
line vty 0 4
motd-banner
exit
!!!The next two commands do the same as the previous, but for the auxiliary port.
line aux 0
motd-banner
exit
!!!sets console password. by default ciscos don't have one.
!!!Also changes default timeout of console port's priveleged executive (root)
!!!session. Default is 10 minutes of inactivity.
line con 0
login
password p
exec-timeout 5 !in minutes
exit
!
!!!"Transport" lines disallow any remote admin protocol besides telnet.
!!!Sets escape-character to [control+w] when connected via vty ports.
!!!This is not for security; it allows one to cancel a traceroute
!!!or other function that would otherwise not die for a long time.
!!!Default escape-character is [control+shift+6, x], but when telnetting
!!!in that merely boots you out and the traceroute continues. Pretty annoying.
!!!Also lowers the executive timeout for the vty port from 10
!!!minutes of inactivity to 5. Finally applies inbound acl 23 to
!!!vty ports 0 through 4. Acl 23 is defined as normal in global config.
line vty 0 4
login
password p
transport input none
transport input telnet
escape-character 23 ![control+w] instead of [control+shift+6, x]
exec-timeout 5 !in minutes
access-class 23 in !restrict telnet access via source IP
exit
!
!!!This setting makes sure the configuration file boots with the flash
config-register 0x2102
!
!!!This is the banner I took from X, so I'm assuming it's the prefered/standard one.
!!!If we have to take legal action against an attacker, we must prove that he absolutely
!!!could not have gotten into any box without seeing this.
!!!This command puts it on the console
banner motd X
This system is restricted solely to authorized users for legitimate
purposes only. yaddayaddayadda
X
!
!
!
exit
write mem
!!!The following adds SNMP read-only ability (community "look") to everyone matching
!!!standard acl 61. I don't support writing from SNMP; you shouldn't even define a write
!!!string. In fact, your network IDS (you have a NIDS right?)
!!!should send alerts when someone tries that.
!snmp-server community look ro 61
!snmp enable traps
!snmp-server host 192.168.1.10 traps look !example IP address
!!!Interface commands are a little trickier to script since Cisco boxes come
!!!in different chassises with different syntaxes. I'll work on an Expect script for the
!!!future. For now I'll just list interface commands that have to be applied. Sorry.
!no ip directed-broadcasts
!no ip unreachables
!!!Other thingies yet to be added
!privelege levels
!!!You can play with TCP intercept, but that assumes symetrical routing.
!!!I think it's feasible from the DMZ boxes (they're the ones getting creamed anyhoo)
!AAA features like Radius
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide