Does this router config look secure enough?

whiteford · ‎02-14-2008

Hi, I have this config that is used for our Cisco routers at remote sites. They connect to a Cisco Concentrator. We use 877's, 878's and 1841's and use this attached config (apart from some changes to the internfaces). Any tweaks would be most welcome.

Many thanks

I was just wondering if the config looks ok or coulf be done better. I know nothing is 100% secure, but just want a second opinion. Any IP's that appear as x.x.156.64 or x.x.156.100 are our external public facing IP's of our HQ.

Wilson Samuel · ‎02-14-2008

Hi Whiteford,

A few lines from me:

1. You may want to enabled "Service Password Encryption"

2. Enabled AES rather than 3DES (I'm not sure whether this router / IOS supports it or not)

3. Are you sure you need IP NBAR? If yes then I would request you to check with your Carrier if they support QoS over Internet otherwise its just an overhead.

4. Finally an easy way to secure router would be to run AutoSecure, very much like Auto Qos.

Hope that helps,

Please rate if its helpful.

Kind Regards,

Wilson Samuel

whiteford · ‎02-14-2008

Thanks, AutoSecure? What is this?

Wilson Samuel · ‎02-14-2008

This link may be helpful

http://cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper09186a00801dbf61_ns696_Networking_Solutions_White_Paper.html

Please rate if it helps,

Kind Regards,

Wilson Samuel

whiteford · ‎02-14-2008

Thanks, is AES better than MD5 then?

Danilo Dy · ‎02-17-2008

Hi,

You can...

- use "enable secret" instead of "enable password"

- use AES-256/SHA instead of 3DES/MD5

- enable "service password-encryption"

- Disable http-server

- disable http secure-server

- put ACL in VTY

- put ACL in NTP

- put ACL in SNMP

See this link for more...

http://www.nsa.gov/snac/

http://www.cymru.com/Documents/secure-ios-template.html

Regards,

Dandy

whiteford · ‎02-17-2008

Can Cisco 877 use AES-256/SHA instead of 3DES/MD5?

What's the difference between "enable secret" and "enable password"?

Danilo Dy · ‎02-17-2008

Hi,

Cisco 870 series routers supports AES for IPSec http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/product_data_sheet0900aecd8028a976_ps380_Products_Data_Sheet.html

I find AES faster than 3DES, I read some document that some of AES implementation is up to 6x faster than 3DES

The encryption scheme of "enable password" is weak. It should not be use in any implementation.

BTW, to add to your security. If you can use AAA for authentication it would be best and only use the local account for emergency and change its password one its has been use. Some procedure put this emergency account name and password in a security envelop and keep in a safe inside data centre and accessible only to few personnel with a sign on/off record.

Regards,

Dandy

whiteford · ‎02-17-2008

I'll try and get the 877's to use AES-256/SHA instead of 3DES/MD5

As these are live VPN routers what would be the best was to move them over?

whiteford · ‎02-17-2008

Is that AES-256/SHA change just for the encryption? Below is just an example of one of my configs VPN, what would I change:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key jgC12345h%1a address *.*.*.*

!

crypto ipsec transform-set T_Set esp-3des esp-md5-hmac

!

crypto map Crypto_Map 10 ipsec-isakmp

set peer *.*.*.*

set transform-set T_Set

match address 101

Joseph W. Doherty · ‎02-17-2008

You might also let SDM scan one of your router configs and review its security recommendations.

More info on SDM: http://www.cisco.com/en/US/products/sw/secursw/ps5318/tsd_products_support_series_home.html

PS:

You don't have to load SDM on the router to use it from a PC.