Home > Articles > Certification > Cisco Certification > CCENT

This chapter is from the book

Using Cisco SDM and CLI Tools to Lock Down the Router

Cisco routers come with services enabled on them by default that make them great routers, but not necessarily great security devices. The reasons for these default services are various, but generally speaking, they are there more for historical reasons than anything else and would not likely be the defaults were these devices to be given a rethink in the context of current security knowledge. In this section, we quickly summarize some of these default services, their security risk in the context of the router’s responsibilities as a perimeter defense device, and (more importantly) what to do about it. As we will see, the router has a number of CLI and SDM tools that can first audit and secondly secure these vulnerabilities.

Router Services and Interface Vulnerabilities

The following is a list of general recommendations for router services and interfaces that are vulnerable to network attacks. They can be grouped into seven categories, as follows:

  • Disable unnecessary services and interfaces.
  • Disable commonly configured management services.
  • Ensure path integrity.
  • Disable probes and scans.
  • Ensure terminal access security.
  • Disable gratuitous and proxy ARP.
  • Disable IP directed broadcasts.

Table 4.3 outlines Cisco’s recommendations for disabling vulnerable router services and interfaces.

Table 4.3. Recommendations for Vulnerable Router Services and Interfaces

Disable these unnecessary services and interfaces:

Unused router interfaces

Cisco Discovery Protocol

BOOTP server

Configuration autoloading

FTP server

TFTP server

NTP service

PAD service

TCP and UDP minor services

DEC MOP service

Disable commonly configured management services:

SNMP

HTTP or HTTPs configuration and monitoring

DNS

Ensure path integrity:

ICMP redirects

IP source routing

Disable probes and scans:

Finger

ICMP unreachable notifications

ICMP mask reply

Ensure terminal access security:

IP identifications service

TCP keepalives

Disable gratuitous and proxy ARP:

GARP

Proxy ARP

Disable IP directed-broadcast

A detailed explanation of the vulnerabilities presented by these features will not be attempted. What follows is a quick summary of the services and their respective vulnerabilities as well as security recommendations.

Disable Unnecessary Services and Interfaces

The following are Cisco’s recommendations for disabling unnecessary services and interfaces:

  • Router Interfaces. Disabling unused router interfaces will limit unauthorized access to both the router and the network.

    Recommendation: Disable unused open router interfaces.

  • Bootstrap Protocol (BOOTP). This service is enabled by default. It allows other devices to obtain IP addresses and other configuration information automatically.

    Recommendation: This service is rarely needed and should be disabled.

  • Cisco Discovery Protocol. Enabled by default. This protocol allows the router to discover information about directly connected neighbor Cisco devices.

    Recommendation: This service is not required once a network has been constructed and tested. Disable.

  • Configuration Autoloading. Disabled by default. It allows the autoloading of configuration files from a network server.

    Recommendation: Disable unless needed.

  • FTP Server. Disabled by default. Allows the router to act as an FTP server and serve files from flash memory to FTP clients.

    Recommendation: Disable unless needed.

  • TFTP Server. Disabled by default. Allows the router to act as a TFTP server and serve files from flash memory to TFTP clients.

    Recommendation: Disable unless needed

  • Network Time Protocol (NTP) Service. This protocol was discussed in the last section, as were recommendations for its use.

    Recommendation: Disable unless needed.

  • TCP and UDP Minor Services. These services are disabled by default in Cisco IOS Software Release 11.3 and later. They are small daemons that have a diagnostic purpose but are rarely needed.

    Recommendation: Disable this service explicitly.

  • Maintenance Operation Protocol (MOP) Service. Enabled by default on most Ethernet interfaces. It is a legacy Digital Electronic Corporation (DEC) maintenance protocol.

    Recommendation: Disable this service explicitly when it is not in use.

Disable and Restrict Commonly Configured Management Services

The following are Cisco’s recommendations for disabling and restricting commonly configured management services:

  • Simple Network Management Protocol (SNMP). Enabled by default. This protocol’s vulnerabilities (SNMP versions 1 and 2) were discussed in a previous section in this chapter.

    Recommendation: Disable this service when it is not required.

  • HTTP or HTTPS Configuration and Monitoring. Default operation is device-dependent. Used for monitoring and configuring the device using a web browser and/or Cisco SDM.

    Recommendation: Disable if not in use or restrict access using ACLs.

  • Domain Name System (DNS). Enabled by default. Also by default, the DNS client broadcasts its request to destination IP address 255.255.255.255. This makes it vulnerable to spoofed responses, possibly leading to session-hijacking.

    Recommendation: Disable if not required. If it is required, set the DNS lookup service with the unicast address of specific DNS servers.

Ensure Path Integrity

The following are Cisco’s recommendations for ensuring path integrity. Path integrity ensures that the path that data packets take through the network is not somehow redirected or otherwise compromised by an exploit:

  • Internet Control Message Protocol (ICMP) redirects. Enabled by default. When a router receives an ICMP redirect on an interface, it is required to resend the packet out the same interface that it was received. If this is an Internet-facing interface, an attacker could use the resent information to redirect packets to an untrusted device, a classic session hijacking exploit.

    Recommendation: Disable this service if it is not required.

  • IP source routing. Enabled on interfaces by default. Routing is normally destination-based, but a IP host can indicate which path it would prefer to take through a network by specifying IP source-routing options in the IP packet header. Routers would be forced to honor this path. This can be exploited by an attacker as a carefully crafted attack that would take the attacker’s choice of path through an unprotected network rather than the best path indicated in the routing table.

    Recommendation: Disable this service on all interfaces unless it is required.

Disable Probes and Scans

The following are Cisco’s recommendations for disabling probes and scans of the network and the router itself:

  • Finger Service. Enabled by default. Finger service allows a reconnaissance of the router to determine a list of users currently using a particular device, among other information.

    Recommendation: Disable this service if it is not required.

  • ICMP Unreachable Notifications. Enabled by default. This service notifies users of unreachable IP hosts and networks. It can be used during a reconnaissance attack to map out a network’s topology because if the attacker doesn’t receive an ICMP unreachable notification in reply to an ICMP request, they can infer that the network is reachable.

    Recommendation: An attacker can infer all they want! Turn off ICMP unreachable notifications on all interfaces facing untrusted networks unless they are required.

  • ICMP Mask Reply. Disabled by default. Same general vulnerabilities as ICMP unreachables.

    Recommendation: Turn off ICMP mask replies on all interfaces facing untrusted networks unless they are required.

Ensure Terminal Access Security

The following are Cisco’s recommendations for ensuring terminal access security. These recommendations will mitigate the possibility that an attacker can identify the device and launch certain DoS attacks against the device itself:

  • IP Identification (IDENT) Service. Enabled by default. Useful in reconnaissance attacks. When TCP port 113 is probed, the identity of the device is obtained.

    Recommendation: Disable explicitly.

  • TCP Keepalives. Disabled by default. This service is a reaper service that polls TCP sessions to see if they are still active. If a response isn’t received, the connection is closed, thereby freeing up resources on the router and preventing certain DoS attacks.

    Recommendation: Should be enabled globally.

Disable Gratuitous and Proxy Address Resolution Protocol (ARP)

The following are Cisco’s recommendations for disabling gratuitous and proxy address resolution protocol (ARP) messages.

  • Gratuitous ARP (GARP). Enabled by default. It is commonly used in ARP poisoning attacks. It is gratuitous in that they are ARP replies that don’t match ARP requests. The intent is to fool IP hosts to cache these replies in their ARP tables so that the host will send packets to the attacker versus the legitimate hosts whose IP addresses and MAC addresses the attacker has spoofed.

    Recommendation: Should be disabled on each interface unless it is needed.

  • Proxy ARP. Enabled by default. This service allows the router to reply to an ARP request by proxy with its own MAC address where an IP address resolves to a remote segment.

    Recommendation: Should be disabled unless the router is acting as a layer 2 LAN bridge.

Disable IP Directed-broadcasts

This service is disabled by default in Cisco IOS Release 12.0 and later. IP directed-broadcasts are used in smurf and other related DoS attacks.

Recommendation: This service should be disabled if not required.

Performing a Security Audit

Now that we have identified the specific vulnerabilities that may be present on the router, we will perform a security audit of the router using the Cisco SDM, as well as some CLI tools.

The Cisco SDM Security Audit, shown in Figure 4.9, is based on the Cisco IOS AutoSecure feature (also accessible by the CLI, as we will see later), which is an automated, interactive script that checks for vulnerabilities and recommends how they might be remediated. As we will see, the Cisco SDM Security Audit has almost all the feature of the Cisco AutoSecure functions.

Figure 4.9

Figure 4.9 The Cisco SDM Security Audit homepage.

The Security Audit Wizard can be reached by choosing Configure->Security Audit from the Cisco SDM homepage. There are two modes of operation, as indicated in Figure 4.9:

  • Security Audit Wizard. Once vulnerabilities are discovered, the wizard gives you a choice as to which vulnerabilities you want to secure. Press the Perform security audit button if you want this.
  • One-Step Lockdown. This configures the router with a set of defined security features with recommended settings in one step and without further user interaction. Press the One-step lockdown button if you want this.

Let’s examine the Cisco SDM Security Audit Wizard first.

Cisco SDM Security Audit Wizard

In the last section, we identified the specific vulnerabilities that may be present on the router. Now we will use the Cisco SDM Security Audit Wizard to determine whether they are present and give us the option to remedy them.

To perform a security audit, follow these steps from the Cisco SDM homepage:

  1. Choose Configure->Security Audit.
  2. Click the Perform Security Audit button. The Welcome Page of the Security Audit Wizard appears.
  3. Click Next to bring up the Security Audit Interface Configuration page as shown in Figure 4.10.
    Figure 4.10

    Figure 4.10 Security Audit Interface Configuration.

  4. Before the audit proceeds, the Security Audit Wizard needs to know which interfaces connect to the outside and which interfaces connect to the inside. Beside each interface listed, check the Inside or Outside check box. (This makes sense because some of the vulnerabilities listed previously depend on whether the interface is connected to a hostile network or not.)
  5. Click Next.

    The Security Audit report window appears, which runs an audit, finishing with an itemized report detailing the number, item name, and status of the potential vulnerabilities, as shown in Figure 4.11. A check mark will appear if the item has passed. An X will appear if the item has not passed.

    Figure 4.11

    Figure 4.11 Security Audit report window.

  6. If you want to save the report to a file, click Save Report.
  7. To continue with fixing the identified security issues, click Close.
  8. The Security Audit Wizard window appears, as shown in Figure 4.12. If you want to fix the security problems identified, you can either check the Fix it check box in the Action column beside each identified security problem you want to fix, or you can click the Fix All button, which checks all the boxes for you.
    Figure 4.12

    Figure 4.12 Security Audit Wizard window.

    If you want to undo security problems that have been identified as “Passed” in the Security Audit report window (refer to Step 5), you can choose Undo Security configurations in the Select an option drop-down list at the top of the Security Audit window. The resulting Security Audit Wizard window will allow you to check off Undo in the Action column beside each enabled security configuration you want to undo.
  9. Click Next.
  10. Depending on which security vulnerabilities you have chosen to fix, you might be asked to enter more information on the subsequent screens. Enter the required information and click Next as indicated until you arrive at the Summary screen.
  11. Click Finish to deliver the changes to the router.

Cisco SDM One-Step Lockdown

The Cisco one-step lockdown feature can be executed using either the Cisco SDM or the CLI command, auto secure. Complete the following steps to perform a one-step lockdown using the Cisco SDM, starting at the SDM homepage:

  1. Choose Configure->Security Audit->One-step lockdown.
  2. An SDM Warning dialog appears, as shown in Figure 4.13. Click Yes if you are sure you want to lock down the router. A one-step lockdown window appears with a check mark beside all the items that will be fixed.
    Figure 4.13

    Figure 4.13 Cisco SDM one-step lockdown.

  3. Click Deliver to deliver the configuration changes to the router.
  4. Click OK to exit back to the Security Audit window.

Using the Cisco AutoSecure Feature to Lock Down a Router

Cisco AutoSecure is a feature that is initiated from the CLI and executes a script, which first makes recommendations for fixing security vulnerabilities, and then modifies the security configuration of the router. The syntax of the command is as follows:

auto secure [no-interact]

It can be executed in either of two modes:

  • Interactive Mode. Prompts the user with recommendations for enabling and disabling specific services. This is the default mode. Use the auto-secure command with no options.
  • Non-Interactive Mode. Automatically executes the Cisco AutoSecure command with Cisco’s recommended default settings. Use the auto secure no-interact form of the command.

Here is what the opening dialog looks like. This example is using the interactive mode:

ciscoISR#auto secure
        — -  AutoSecure Configuration  — -

***AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:yes
[output omitted]
Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp&tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Configure NTP Authentication? [yes]:no
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 120

At the end of the AutoSecure interactive dialog, the recommended running-config with the changes to be applied is displayed. You are then asked:

Apply this configuration to running-config? [yes]:yes

Caveats: Cisco AutoSecure Versus Cisco SDM Security Audit

There are some notable limitations and differences between Cisco AutoSecure and the Cisco SDM Security Audit:

  • Cisco SDM does not implement the following Cisco AutoSecure features:
    • Disabling NTP
    • Configuring AAA
    • Setting SPD values
    • Enabling TCP intercepts
    • Configuring anti-spoofing ACLs on outside-facing interfaces
  • Cisco SDM implements some Cisco AutoSecure features differently:
    • SNMP is disabled but will not configure SNMPv3 (varies with router).
    • SSH is enabled and configured with Cisco IOS images that support this feature.
    • Curiously, Secure Copy Protocol (SCP) is not enabled and unsecure FTP is.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020