RTR7200# show running-config | include banner
advertisement
Table of Contents
Introduction: ................................................................................................................................................. 3
Router Security Overview ............................................................................................................................. 4
Passwords.................................................................................................................................................. 4
Traffic Filtering .......................................................................................................................................... 4
Authentication .......................................................................................................................................... 4
Management ............................................................................................................................................. 4
Hardware................................................................................................................................................... 5
Physical...................................................................................................................................................... 5
Internetworking Operating System (IOS) .................................................................................................. 5
Harden the Router .................................................................................................................................... 5
GNS3 Network Basics .................................................................................................................................... 6
Management Plane Commands .................................................................................................................... 8
Filtering ....................................................................................................................................................... 17
Ingress & Egress Filters: .......................................................................................................................... 17
Ingress Access List: .................................................................................................................................. 18
Egress Access List: ................................................................................................................................... 18
ICMP: ....................................................................................................................................................... 19
Authentication ............................................................................................................................................ 20
Local ........................................................................................................................................................ 20
AAA .......................................................................................................................................................... 20
Routing ........................................................................................................................................................ 23
EIGRP Authentication .............................................................................................................................. 23
OSPF Authentication ............................................................................................................................... 24
Management Access ................................................................................................................................... 25
Configure Secure Shell (SSH): .................................................................................................................. 26
Changing Secure Shell (SSH) Defaults: .................................................................................................... 27
Allowing Access to Secure Shell (SSH):.................................................................................................... 27
Configure Secure HTTP (HTTPS): ............................................................................................................. 28
Restrict Access to HTTPS: ........................................................................................................................ 28
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Banners: .................................................................................................................................................. 29
Logging .................................................................................................................................................... 29
Configuration File Management ............................................................................................................. 31
Exclusive Configuration Access ............................................................................................................... 33
Software Resilience................................................................................................................................. 33
SNMP ...................................................................................................................................................... 34
Time ........................................................................................................................................................ 36
Network Timing Protocol (NTP): ............................................................................................................. 37
Interfaces ................................................................................................................................................ 39
2 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Introduction:
Not all options discussed in this document or the accompanying slide presentation are available
under all versions of the Cisco Internetwork Operating Systems (IOS). Before attempting to
determine the security posture of a Cisco device, research should be conducted on the
capabilities of the IOS installed using the Cisco Feature Navigator or similar Cisco-provided tool.
There are as many ways to secure networking devices as there are different devices. It is
technically and tactically impossible to spell out exactly what needs to be done to determine
whether or not a generic device is securely configured. What follows is a compilation of
recommendations from over a dozen sources. Generally, the commands illustrated here should
suffice to secure any network device in isolation. Once the device is incorporated into a viable
network, modifications will probably be necessary.
Cisco equipment, like most networking equipment, functions at three distinct operational
planes: management, control, and data. Each plane has different security requirements and is
configured using a unique set of security commands. This document attempts to group the
various commands into categories under each of the three planes of operation. Each plane
affects the other two. Should either the control plane or management plane be compromised,
the other, in addition to the data plane, will be adversely affected. It is therefore vitally
important that each plane be vigorously safeguarded against attack.
The Management Plane is a collection of protocols and functionality specifically concerned with
the management of the network. Protocols such as SSH, which is used for interactive
management; SNMP, which allows for remote management and statistics gathering; Syslog,
which provides a method for handling messages generated by the device; and, higher level
protocols and applications like NetFlow. Other management plane protocols include Telnet, File
Transfer Protocol (FTP), Trivial File Transfer Protocol (TFTP), Secure Copy Protocol (SCP),
Terminal Access Control Access Control Server (TACACS+), Remote Access Dial-In User Service
(RADIUS), and Network Timing Protocol (NTP). Also found on the management plane is
Authentication, Authorization, and Accounting (AAA). The AAA configuration is an essential
method of authenticating access to the hardware.
The control plane is a collection of protocols and functionality concerned with moving data
traffic from one device to another in the network. This includes routing protocols like Open
Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), and Border
Gateway Protocol (BGP). Also included in the group are Internet Control Message Protocol
(ICMP), Internet Group Management Protocol (IGMP), Proxy ARP, and Cisco Discovery Protocol
(CDP), among others. Access Control Lists (acl) used to filter traffic and select (or match) traffic
flows are also implemented on the control plane.
The data plane’s job is to move data from source to destination. From a security perspective, it
is the least important of the three planes. If the control and management planes are secure,
there is little left to do to secure the data plane. Most problems on the data plane originate
from information contained within IP packets: IP Options can alter data paths and force high
cpu usage, causing denials of service; IP source routing can also alter data paths; ICMP redirects
can be used by hackers to increase cpu usage; IP directed broadcast capabilities have been used
P a g e |3
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
as denial of service amplifiers or reflectors. The biggest problem with IP traffic at the data plane
is actually mitigated at the control plane: access control lists must be used to prevent s ome
ICMP message types. These same access lists must address fragmentation of IP packets.
Router Security Overview
Passwords
•
•
•
The first line of defense on a router, or any other networking device, is to require passwords
for simple authentication.
There are several rules which should be followed:
• Encrypt passwords using MD5 wherever possible.
• Where MD5 isn’t possible, hide the passwords from casual viewing.
• Configure lockouts to preclude password guessing.
• Enforce a minimum password length standard.
Related to password enforcement is ensuring that no one else can use a password
inappropriately left active. To enforce this, don’t leave connections up when idle.
Traffic Filtering
•
•
•
The best place to filter unwanted traffic (keep it from entering or exiting the LAN) is at the
entry interfaces. When filtered, the packet has been dropped.
Selectively filter icmp packets.
Use ingress and egress filtering.
Authentication
•
•
•
Use local usernames.
Implement AAA.
Set authentication for eigrp and ospf.
Management
•
•
•
•
•
•
•
•
•
•
•
•
•
•
set keepalives for management access sessions
restrict management access to authorized users
set exec timeouts
use ssh & https for management access
banners (login, motd, exec, incoming)
if used, snmp v3 only
configure centralized logging
config change notifications
set logging level
set logging source interface
set logging time-stamp
use AAA for accounting
replace and rollback for configuration files
exclusive configuration access
4 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
•
software resilience
Hardware
•
•
Set memory threshold levels.
Set cpu threshold levels.
Physical
•
•
•
The router should be secured in a locked room or protected area.
Access to the console port should be prevented.
An uninterruptible power supply (UPS) should be employed to protect the configuration of
the router in the event of a power outage.
Internetworking Operating System (IOS)
•
•
•
The most stable version of the IOS should be used. A visit to the Cisco.com web site should
provide the version of the most recent IOS for the router platform type.
Store a copy of the configuration file in an off-device location as well as in persistent
memory on the device itself.
Move the IOS to persistent memory so that it can be easily reinstalled.
Harden the Router
•
•
•
•
•
“Harden” is a term used to describe a process by which the router is configured so as to
make unauthorized access to it as difficult as possible.
Secure all methods of connection.
Disable unused services, interfaces, and ports. Disabled = inaccessible.
Authenticate access – allow only authorized users to have access to the device and/or
services on the device.
Authorize actions – restrict authenticated users from accessing everything. Allow
authenticated users to have access to only what is required.
• Account for the actions – generate, capture, and store log and audit messages depicting
every action taken by an authenticated user. Tag every message with identifying
information about the user including who, what, when.
• Display banners – Legal notifications and warnings.
• Encrypt everything that can be encrypted.
• Hide everything else.
P a g e |5
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
GNS3 Network Basics
Figure 1
•
Figure 1 illustrates the network configured in the
Graphic Network Simulator (GNS) software application
on your notebook. This network is not intended to be
representative of any specific configuration you may
encounter.
•
The section of the network in Figure 2 is the router on
which the search commands will be executed. The
symbol is for a generic router. The label “7200” was
added by the designer. The router being emulated is a
Figure 2
Cisco 7200 series with three configured interfaces. The
interface on the left is connected to network 10.1.40.0 and has the ip address 10.1.40.2
assigned to it. The line to which this interface is connected has been assigned the ip address
10.2.40.1.
•
You can determine all this from the information displayed on the diagram. The “/24” at the
end of each network ip address indicates that the network is using a 24-bit mask. The small
green ball indicates that the interface to which the line is attached is turned on – the line is
connected.
•
This presentation is concerned in its entirety with securing the edge router, defined as the
last router (or routing device) through which your traffic will pass on its way out of your
LAN. It is also the first device encountered by inbound traffic.
6 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
•
For this presentation, the router standing in as the border router is the 7200. The Pix
firewall and the two 2621 routers connected to it are standing in for the Internet Service
Provider (ISP). The configuration of the Pix is important only in so much as it interacts with
the 7200. The Pix is configured with EIGRP (Enhanced Interior Gateway Protocol) as is the
interface on the 7200 to which it is connected.
•
The other interfaces on the 7200 are configured with OSPF (Open Shortest Path First). Both
EIGRP and OSPF are interior routing protocols; but, they are both much easier to configure
and much easier on resources than is BGP, the most widely-used exterior protocol.
•
Checking the security posture of a Cisco router is largely an examination of the contents of
the configuration of the router. The majority of the commands you will be examining are
concerned with securing the Management Plane. A large part of the configuration of your
LAN edge router will be based on information supplied by the service provider to which you
are connecting.
P a g e |7
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Management Plane Commands
This section contains a listing of security support commands which are applied to the
management plane of the Cisco router. Each command includes a short explanation of what the
command (both active and negated versions) does and an example command you can execute
from the command line to see whether or not the command is configured on the device.
From inside GNS3, bring up a console window on the 7200 router and try out each of the
commands under the “Finding it in the configuration” section.
Command:
•
•
•
no ip source-route
Disables ip source routing
IP source routing allows the originator of a packet to dictate which routers the packet
should traverse along its way.
It is a very dangerous capability and is routinely disabled using this command
Finding it in the configuration:
RTR7200# show running-config | include ip source-route
RTR7200# no ip source-route
Command:
•
•
•
•
ip cef
Enables Cisco Express Forwarding
Required in order to enable Unicast Reverse-Path Forwarding
CEF creates a Forwarding Information Base (FIB) table containing the next hop
addresses. It also creates adjacencies with the source of the packet. When a packet is
received, CEF can determine if a next hop address exists based on whether or not a
relationship has already been established between the layer 3 (IP) data and the layer 2
(MAC) data. This saves the time required to perform Address Resolution Protocol (ARP)
searches on packets from known sources.
Its main function is to speed up the switching process in the router.
Finding it in the configuration:
RTR7200# show running-config | include cef
RTR7200# ip cef
8 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
no service tcp-small-servers
no service udp-small-servers
As of version 12.0 of the Cisco IOS, the services included under these commands are
disabled by default. The commands will not appear in the configuration file.
For earlier versions of the IOS, it is absolutely necessary to disable these and other
unused services because they can be used to launch DoS attacks.
Finding it in the configuration:
RTR7200# show running-config | include small-servers
(Prior to 12.0)
RTR7200# no service tcp-small-servers
RTR7200# no service udp-small-servers
Command:
•
•
no ip domain lookup
Disables Domain Naming System (DNS) name-to-address translations.
This service is sometimes needed, but not very often.
Finding it in the configuration:
RTR7200# show running-config | include ip domain lookup
RTR7200# no ip domain lookup
Command:
•
•
no ip finger
Disables the Finger service.
Finger is a very old service which provides information about users currently logged in to
a network or on to a device. In the ancient days of networking, it was the only way to
find out if a fellow user was available.
Finding it in the configuration:
RTR7200# show running-config | include finger
RTR7200# no ip finger
P a g e |9
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
•
no ip bootp server
Disables the Bootstrap Protocol (bootp) service.
BOOTP is typically used with diskless workstations and other devices which don’t
contain their own operating system, which would allow them to use the Device Host
Configuration Protocol (DHCP).
There are not a lot of devices like this anymore.
Finding it in the configuration:
RTR7200# show running-config | include bootp server
RTR7200# no ip bootp server
Command:
•
•
ip dhcp bootp ignore
At some point in the development of the Device Host Configuration Protocol (DHCP), it
was decided to include the capability of providing BOOTP capabilities for those few
devices which still required it.
If bootp is not required, this command leaves DHCP operational while configuring it to
ignore any BOOTP requests..
Finding it in the configuration:
RTR7200# show running-config | include bootp ignore
RTR7200# ip dhcp bootp ignore
Command:
•
no service dhcp
If DHCP relay services are not required, it is safe to disable the service
Finding it in the configuration:
RTR7200# show running-config | include service dhcp
RTR7200# no service dhcp
10 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
•
•
no mop enabled
Disables the Maintenance Operation Protocol (MOP) service.
MOP is a 30+ year old protocol developed by Digital Equipment Corporation which is no
longer in business.
From the original specifications: “MOP allows control of unattended remote systems
that are part of a DECnet network.”
If there’s no DECnet network, there’s no need for MOP.
Finding it in the configuration:
RTR7200# show running-config | include mop enabled
RTR7200# no mop enabled
Command:
•
•
•
no service pad
Disables the Packet Assembler/Disassembler (PAD) service.
PAD is used to actively assemble X.25 packets out of serial data streams from network
devices and disassembles like packets into a data stream which is suitable for sending to
data terminals.
If you’re not using an X.25 network, you don’t need it.
Finding it in the configuration:
RTR7200# show running-config | include service pad
RTR7200# no service pad
Command:
•
no ip http server
no ip http secure-server
Disables the HyperText Transfer Protocol (HTTP) service and the HTTP over Secure
Socket Layer (SSL) service (HTTPS).
Finding it in the configuration:
RTR7200# show running-config | include ip http
RTR7200# no ip http server
RTR7200# no ip http secure-server
P a g e |11
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
no service config
Disables a Cisco IOS device search for a network server to load the configuration file.
Prevents the device from trying to find the config file using TFTP
Finding it in the configuration:
RTR7200# show running-config | include service config
RTR7200# no service config
Command:
•
•
•
•
no cdp run
no cdp enable
Disables Cisco Discovery Protocol
Within a LAN, cdp is a relatively safe protocol. On interfaces touching untrusted
networks, cdp should not be used because it advertises information about individual
devices which would be helpful to a hacker.
no cdp run is the global command which disables cdp for all interfaces.
no cdp enable is used on individual interfaces.
Finding it in the configuration:
RTR7200# show running-config | include cdp
RTR7200# no cdp ( run | enable )
Command:
•
•
•
no lldp transmit
no lldp receive
no lldp run global
Disables Link Layer Discovery Protocol
Similar to CDP, but used between devices that do not support CDP.
Use the no lldp transmit and no lldp receive commands in interface configuration mode
for individual interfaces; or, the no lldp run global to disable it on all interfaces.
Finding it in the configuration:
RTR7200# show running-config | include lldp
RTR7200# no service config
12 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
enable secret <password>
The enable password is used to enter privileged exec mode in which the entire router
can be reconfigured.
It is essential that only the secret version of this command be used.
Finding it in the configuration:
RTR7200# show running-config | include enable
RTR7200# enable secret 5 $1$yx4M#bFUI/TnJyoWTvF1LUt.PK.
•
•
Of primary importance are that the password is set (enable secret), and
that it is protected with the MD5 hashing algorithm (5).
Command:
•
•
service password-encryption
Causes all passwords which are not already encrypted with MD5 to be encrypted using
Cisco proprietary encryption algorithm type 7.
Type 7 encryption is a basic substitution method of encryption which does not provide
any security for the password beyond making it difficult to read.
Finding it in the configuration:
RTR7200# show running-config | include service password
RTR7200# service password-encryption
Command:
•
•
•
•
security passwords min-length <#>
Sets a minimum length for any future passwords.
Passwords which are already set are not effected by this command.
What the value of <#> is should be a matter of local policy.
Cisco recommends a minimum length of 10.
Finding it in the configuration:
RTR7200# show running-config | include security password
RTR7200# security passwords min-length 10
P a g e |13
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
[no] service password recovery
This command is not available in all versions of the IOS.
The no version disables the password recovery feature of the router and should only be
used IAW local policy.
Finding it in the configuration:
RTR7200# show running-config | include service password
RTR7200# service password-recovery
•
•
•
Executing the ‘no’ version removes the command from the config file.
There will be no output if the ‘no’ version has been executed.
There will also be no output if the IOS version does not support the command.
Command:
•
•
•
•
•
username <name> [privilege <level>] secret <password>
Creates an entry in the local database.
Preceding the password with the keyword “secret” causes the plaintext password to be
hashed using the MD5 hashing algorithm.
Preceding the password with the keyword “password” causes the password to be left in
plaintext unless the service password-encryption command has been executed. This
form of the command is not authorized.
There should be one username configured with a privilege level of 1 (one) for normal
connection to the router. Once connected, this user can execute the “enable” command
to move to a higher privilege level.
In configurations such as login local or ip http authentication local, the the keyword
local tells the router to require the entry of both the username and the password for
that username in order to gain access.
Finding it in the configuration:
RTR7200# show running-config | include username
RTR7200# username NOACCESS privilege 1 secret 5 $1$yx4M#bFUI/TnJyoWTvF1LUt.PK
RTR7200# username ADMIN privilege 15 secret 67UI#kouekla;*#Kkboup@bN&7arP
14 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
•
•
login block-for <block_time> attempts <#> within <time_period>
Mitigates the possibility of a brute force attack by blocking all login attempts for a
specific period of time if too many attempts had been made during a short time period
Note that this command blocks ALL login attempts.
The command is interpreted “if <#> attempts to login have occurred within
<time_period> in seconds, prevent all further login attempts for <block_time> in
seconds”.
For example: login block-for 180 attempts 4 within 60
Finding it in the configuration:
RTR7200# show running-config | include login block-for
RTR7200# login block-for 30 attempts 3 withing 30
Command:
•
login quiet-mode access-class <acl# or aclNAME>
This command sets the access list <acl# or aclNAME> as a list of ip addresses that can
still login even though every other ip address is blocked out.
Finding it in the configuration:
RTR7200# show running-config | include login quiet-mode
RTR7200# login quiet-mode access-class ALLOW_ACCESS
RTR7200# show access-list ALLOW_ACCESS
RTR7200#Standard IP access-list ALLOW_ACCESS
RTR7200# 10 permit 10.4.1.14
Command:
•
login delay <#>
Force a delay of <#> seconds between each login attempt
Finding it in the configuration:
RTR7200# show running-config | include login block-for
RTR7200# login delay 3
P a g e |15
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
•
login on-failure log [every <#>]
This command causes a log entry to be generated every time a login fails.
It might seem that setting this to 1 would be a good idea; however, a number between 5
and 10 is more appropriate. If login attempts are being blocked (failing), then security is
being enforced.
Login failures are counted on a per-ip address basis.
Finding it in the configuration:
RTR7200# show running-config | include login on-failure
RTR7200# login on-failure log every 5
Command:
•
•
login on-success log [every <#>]
Unlike login failures, this one should be set to 1.
Since 1 is the default, it is not necessary to include it in the command. Enter only login
on-success log to configure the default of 1.
Finding it in the configuration:
RTR7200# show running-config | include login on-success
RTR7200# login on-success log
Command:
•
•
•
security authentication failure rate <#>
Sets a global threshold rate for login failures.
If the threshold is breached, a syslog message is posted and a 15-second delay is
enforced.
This global setting can be overruled by the login block-for command
Finding it in the configuration:
RTR7200# show running-config | include security authentication
RTR7200# security authentication failure rate 8
16 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
show login
Display all the login commands in the configuration:
A login delay of 3 seconds is applied.
Quiet-Mode access list ALLOW_ACCESS is applied.
All successful login is logged.
Every 5 failed login is logged.
Router enabled to watch for login Attacks.
If more than 3 login failures occur in 30 minutes or less,
logins will be disabled for 30 seconds.
Router presently in Normal-Mode.
Current Watch Window
Time remaining: 22 seconds.
Login failures for current window: 0.
Total login failures: 0.
Filtering
Ingress & Egress Filters:
•
•
•
•
•
The ingress filter is the access list assigned to the interface connected closest to the service
provider which blocks known malicious or simply bad traffic from entering your LAN.
The egress filter is the access list assigned to the interface connected closest to your LAN
which allows only legitimate traffic to depart your LAN.
Note that the egress filter may be more than one access list. If the router you’re examining
has multiple LANs connected to it, it may be necessary to implement an egress filter to each
of the interior interfaces.
To determine which access list is the egress and which is the ingress, it will be necessary to
review the structure of the network to determine which interface should host the ingress
filter and which should host the egress filter.
For this example, interface FastEthernet0/0 (f0/0) will be the interface connected to the
provider. View the configuration for the interface:
RTR7200# show running-config | section FastEthernet0/0
•
If the resulting display contains the two lines
ip access-group <NAME> in
ip access-group <NAME> out
the <NAME> preceding “in” is the ingress filter and
the <NAME> preceding “out” is the egress filter.
P a g e |17
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
•
If the interface only includes the one “in” filter, you’ll need to view the configuration of
the other interfaces to determine which should contain the outbound filtering.
Ingress Access List:
•
•
•
•
•
Once you’ve decided which is the ingress filter and which is the egress filter, you next need
to examine their contents (see next section).
Access-lists are essential for securing a router. They can, however, be extremely complex.
Without a thorough understanding of all the applications traversing the router and the
protocols involved, it is impossible to validate each acl.
There are some things which are universally filtered at the outside interface. Among these
are ip addresses which are not routable across the Internet, referred to as private
addresses. Certain multicast addresses should also be blocked as well as malformed
addresses.
RFC 5735 and RFC 4193 list the private address and other reserved ranges for IPv4 and IPv6
respectively and discuss their purpose and implementation.
The Center for Internet Security (CIS) Security Configuration Benchmark for Cisco IOS
Version 3.0.0, September, 2011 contains a recommended list of ip addresses that should be
blocked at the ingress filter. They are included in the example ingress access-list on the
following slide. There are other candidates for inclusion in this list.
1)
2)
3)
4)
5)
6)
7)
8)
9)
access-list <acl> deny ip <your_internal_address_range> any log
access-list <acl> deny ip 127.0.0.0 0.255.255.255 any log
access-list <acl> deny ip 10.0.0.0 0.255.255.255 any log
access-list <acl> deny ip 172.16.0.0 0.15.255.255 any log
access-list <acl> deny ip 192.168.0.0 0.0.255.255 any log
access-list <acl> deny ip 192.0.2.0 0.0.0.255 any log
access-list <acl> deny ip 169.254.0.0 0.0.255.255 any log
access-list <acl> deny ip 0.0.0.0 0.255.255.255 any log
access-list <acl> deny ip host 255.255.255.255 any log
•
•
•
•
•
•
Line 1 prevents any external host from spoofing your ip addresses.
Line 2 is the loopback range of addresses
Lines 3, 4, & 5 are the big 3 private address ranges
Line 6 is TEST-NET-1 and is used only in documentation
Line 7 is the local link block
Lines 8 & 9 are blocking bogus ip addresses
Egress Access List:
•
•
The egress filter is an access list which insures that only legitimate traffic (traffic generated
by your own LAN) is allowed to exit the LAN.
The access-list may be complex due to the inclusion of protocols and applications as well as
operationally mandated traffic.
18 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
•
•
•
The single entry you’re looking for is one that allows only your address space:
access-list <acl> permit ip <your_internal_address_range> any log
If there are other users (LANs) connected to other interfaces, this line needs to be adjusted
for their ip address range and included in the filter located on their interface of the router.
ICMP:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Internet Control Message Protocol
Purpose is to assist in the control of the Internet Protocol (IP)
Can convey virtually ALL information about internal structure of your LAN
Is required for some purposes
Which ICMP messages need to be filtered and which need to be allowed will be dictated by
local mission requirements as well as restrictions mandated by the external service
provider.
At a minimum, all non-mandated inbound requests should be filtered as well as any
outbound requests from addresses other than the management station.
To verify the filtering established for a particular LAN, it is necessary to have an
understanding of the structure of the LAN – what ip address is/are assigned to the
management station(s); what is the address space for the LAN; what applications are
running which require the use of ICMP; etc.
ICMP needs to be filtered on both the egress and ingress interfaces.
In the ingress filter access list, there might be lines which allow icmp echo requests from
specific external ip addresses such as a trusted management station or server. Verify the ip
addresses included with the local operating procedures.
All other ip traffic from the network to which the management stations /servers belong
should be explicitly blocked.
ip access-list extended INGRESS_FILTER
permit icmp host <trusted-management-station> any echo
permit icmp host <trusted-management-server> any echo
deny ip any <the_rest_of_the_network> <mask>
In the egress filter access list, there might be lines which allow icmp echo requests from
specific internal ip addresses such as a management station. Verify the ip address of the
management station.
All other icmp traffic from your network must be explicitly blocked.
ip access-list extended EGRESS_FILTER
permit icmp host <trusted-management-station> any echo
permit icmp host <trusted-management-server> any echo
deny icmp any <the_rest_of_the_network> <mask>
Note: If icmp echo-requests are permitted out of your LAN, the corresponding echo-reply
must then be permitted back in to your router through the ingress filter. The entry in the
ingress filter should be as specific as possible to ensure no unauthorized icmp traffic enters.
P a g e |19
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Authentication
Local
Command:
•
•
•
•
username <name> [privilege <level>] secret <password>
Local usernames are used in many places for authentication purposes.
In the aaa command (discussed elsewhere) aaa authentication login default local enable,
the “local” option indicates that the local username database should be consulted for
authentication (then the enable secret password).
In the command ip http authentication local, “local” means that only a username from the
local username database, once properly authenticated by entering the correct password,
will have access to the http protocol.
On vty, aux, and con lines, the command login local means the same thing. Use show
running-config | begin line to see all the line configurations.
Finding it in the configuration:
RTR7200# show running-config | include local
RTR7200# ip http authentication local
RTR7200# login local
AAA
Command:
•
•
aaa new-model
Activates AAA (authentication, authorization, accounting) functionality
Immediately applies local authentication to all lines and interfaces except the console (line
con 0). Sessions already opened are not affected. If a session times-out and no username is
configured, you are effectively logged out. For this reason, a username must be configured
prior to executing this command.
Finding it in the configuration:
RTR7200# show running-config | include aaa new-model
20 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
tacacs-server host <ip | hostname> [timeout <sec>] [key <KEY>]
radius-server host <ip | hostname> [timeout <sec>] [key <KEY>]
Designates the TACACS+/RADIUS server ip address or hostname
Finding it in the configuration:
RTR7200# show running-config | include tacacs-server
RTR7200# show running-config | include radius-server
RTR7200# tacacs-server host A.B.C.D timeout 15
RTR7200# radius-server host E.F.G.H auth-port 1645 acct-port 1646 timeout 15 key 7 0813…
•
•
The RADIUS server configuration includes the default authentication and accounting port
assignment numbers of 1645/1646. TACACS+ uses only port 49.
A.B.C.D & E.F.G.H are ip address place holders only.
Command:
•
•
aaa group server tacacs+ <NAME>
aaa group server radius <NAME>
Creates a group named <NAME> into which servers can be added.
The router prompt changes to the server-group config prompt:
(config)# aaa group server tacacs+ TACACSGROUP
(config-sg-tacacs+)# server < ip | hostname >
(config)# aaa group server radius RADIUSGROUP
(config-sg-radius)# server < ip | hostname >
•
Adds the server(s) to the group.
Finding it in the configuration:
RTR7200# show running-config | include aaa group
RTR7200# aaa group server tacacs+ TACACSGROUP
RTR7200# aaa group server radius RADIUSGROUP
P a g e |21
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
aaa authentication enable default <method1 [method2] [method3] [method4]>
Creates the default list for determining whether or not a user can access the privileged EXEC
command level (a.k.a. “enable” mode).
This command allows for up to four methods (at least one must be included):
•
•
•
•
•
•
group <NAME> - use the servers configured in the <NAME> group
group tacacs+ : use all available tacacs+ servers
group radius : use all available radius servers
enable : use the enable password
line : use the line password (if connected via vty line, for example)
none : no authentication required
Finding it in the configuration:
RTR7200# show running-config | include aaa authentication enable
RTR7200# aaa authentication enable default group tacacs+ enable
Command:
•
•
aaa authentication login default <method1 [method2] [method3] [method4]>
Creates the default list for authenticating a user for login.
This command allows for up to four methods (at least one must be included):
•
•
•
•
•
•
•
•
group <NAME> - use the servers configured in the <NAME> group
group tacacs+ : use all available tacacs+ servers
group radius : use all available radius servers
enable : use the enable password
line : use the line password (if connected via vty line, for example)
local : local username database
local-case : case-sensitive local username database
none : no authentication required
Finding it in the configuration:
RTR7200# show running-config | include aaa authentication login
RTR7200# aaa authentication login default group tacacs+ local enable
22 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
aaa accounting < exec | commands | network | connection | system >
default start-stop group < tacacs+ | radius | LISTNAME >
Provide accounting for all user shell EXEC commands:
aaa accounting exec default start-stop group < tacacs+ | radius | LISTNAME >
•
Provide accounting for all commands on level 15:
aaa accounting commands 15 default start-stop group < tacacs+ | radius | LISTNAME >
•
Provide accounting for all network related services like PPP:
aaa accounting network default start-stop group < tacacs+ | radius | LISTNAME >
•
Provide accounting for all outbound connections:
aaa accounting connection default start-stop group < tacacs+ | radius | LISTNAME >
•
Provide accounting for all system related events not directly related to a user:
aaa accounting system default start-stop group < tacacs+ | radius | LISTNAME >
•
•
These five commands are all required to completely configure aaa accounting.
“start-stop” accounting begins as soon as the session begins. A summary record which
includes session statistics is sent when the session ends.
Finding it in the configuration:
RTR7200# show running-config | include aaa accounting
Routing
EIGRP Authentication
•
First, create a key chain for use by EIGRP:
(config)# key chain KC_EIGRP
•
Next, add a key to the key chain:
(config-keychain)# key 1
(config-keychain-key)# key-string ReallyStrong!
•
Enter interface configuration mode on the interface which connects to the eigrp source;
activate authentication for autonomous system 33 (for example); and, use MD5 to protect
the key:
(config-if)# ip authentication mode eigrp 33 md5
P a g e |23
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
•
Finally, set the authentication process to use the previously configured key-chain:
(config-if)# ip authentication key-chain eigrp 33 KC_EIGRP
Finding it in the configuration:
RTR7200# show running-config | section key chain
RTR7200# key chain KC_EIGRP
RTR7200# key 1
RTR7200# key-string 7 04690E07032D557D1D0B0A19154A
•
Once you know the key chain name, search for it:
RTR7200# show running-config | include KC_EIGRP
RTR7200# ip authentication key-chain eigrp 33 KC_EIGRP
OSPF Authentication
•
From interface configuration mode on the interface connected to the external OSPF source:
RTR7200(config-if)# ip ospf message-digest-key 1 md5 ReallyReallyStrong!
•
This key must be pre-shared. That is, the interface on the next device in line to which this
interface is connected must have an identical key configured.
•
Next, activate MD5 authentication (on this interface only):
RTR7200# (config-if)# ip ospf authentication message-digest
Finding it in the configuration:
•
Verifying authentication is on a per-interface basis:
RTR7200# show ip ospf interface <int> (once per interface)
RTR7200# Message digest authentication enabled
RTR7200#
Youngest key id is 1
24 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Management Access
Command:
•
•
service tcp-keepalives-in
service tcp-keepalives-out
Generate keepalives on network connections
Sometimes, tcp connections to remote points become disconnected at the remote host
without notifying the originating end of the connection. When this happens, it might
become impossible to reconnect to the remote host upon its return to service because this
end of the connection still believes the connection exists. With keepalives configured, each
end of the connection will be aware that the other end has disconnected which will allow
each end of the connection to close its end.
Finding it in the configuration:
RTR7200# show running-config | include tcp-keepalives
RTR7200# service tcp-keepalives-in
RTR7200# service tcp-keepalives-out
Command:
•
•
exec-timeout <minutes> [<seconds>]
Establishes the length of time a line is allowed to be idle before the router disconnects it,
dropping the connection.
A setting of 0 (zero) disables this feature and is not allowed.
Finding it in the configuration:
•
•
Begin the display of the config file from the first instance of a line:
A setting of 10 minutes is the default and will not appear in the listing.
RTR7200# show running-config | begin line
line con 0
/- output omitted -/
exec-timeout 5
line vty 0 4
/- output omitted -/
exec-timeout 3 30
P a g e |25
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Configure Secure Shell (SSH):
•
•
Activating Secure Shell requires a series of commands:
To allow the router and any device to which the router will become connected, it is
necessary to identify the SSH crypto key uniquely. This is accomplished by setting a unique
name for the router and identifying in which domain the router will operate:
(config)# ip domain-name <NAME>
(config)# hostname <HOSTNAME>
•
With these two items set, it is now possible to create the crypto key:
(config)#crypto key generate rsa general-keys modulus 1024
•
•
•
rsa is the only algorithm available for SSH on Cisco devices
general-keys are “Generate a general purpose RSA key pair for signing and
encryption” (from Cisco IOS 15.0). The usage-keys option generates a second pair of
keys for signing and encryption.
modulus 1024 means the keys will be 1024 bits in length. Other options are 512, 768,
and 2048. The minimum allowable key length is 1024.
Finding it in the configuration:
The router hostname is evident from the command prompt (RTR7200 for example).
RTR7200# show running-config | i domain name
RTR7200# ip domain name ns.com
RTR7200# show ip ssh
SSH Enabled – version 1.99
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format (ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCl56+Fy+SYBA8nPUeCygf+VjBtYv0jx/oE
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCl56+Fy+SYBA8nPUeCygf+VjBtYv0jx/oEK9CyHm
wgrDQDWoX3jck+Wrc9/DWF1mZQ5EwFt0glOSv3bTlYc1I+dZBDXzb7Lb7sAAAAB3NzaC1y
c2EAAAADAQABAAAAgQCl56+Fy+SYBA8nPUeCygf+VjBtYv0jx/oEK9CyHmwgrDQDWoX3j
ck+Wrc9/DWF1mZQ5EwFt0glOSv3bTlYc1I+dZBDXzb7Lb7s0EdZZF+Dq0Bg0ARHf/Bzx4olO
ghT5CqBhWJpLQHHO99xM0gzKxmN1O2nsxtKF5ob
26 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Changing Secure Shell (SSH) Defaults:
•
Version 2 is considered superior to version 1.99. Changing the version is recommended:
(config)# ip ssh version 2
•
The timeout of 120 seconds is usually acceptable. If it needs to be adjusted:
(config)# ip ssh time-out 60
•
The default number of times a user can attempt to connect via SSH before being blocked
from attempting further is 3. Changing this is simple:
(config)# ip authentication-retries 4
Finding it in the configuration:
RTR7200# show ip ssh
SSH Enabled – version 2.0
Authentication timeout: 60 secs; Authentication retries: 4
/- output omitted -/
Allowing Access to Secure Shell (SSH):
•
•
SSH connections are established using the virtual terminal (VTY) lines.
Configuring SSH on a vty line effectively blocks access to that vty connection using Telnet
and forces the use of SSH:
(config-line)# transport input ssh
•
•
It is also necessary to control access to the vty lines by assigning a configured access list.
The acl contains ip addresses of those stations authorized access to the vty lines and,
therefore, to ssh.
(config-line)# access-class <standard_acl> in
Finding it in the configuration:
RTR7200# show running-config | section vty
line vty 0 4
/- output omitted -/
access-class 1 in
transport input ssh
P a g e |27
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Configure Secure HTTP (HTTPS):
no ip http server
ip http secure-server
• Routers provide web-based device management applications such as the Secure Device
Manager (SDM), and Cisco Configuration Pro (CCP).
• To insure that configuration information is protected, secure http is used.
• Access to the http secure server must be controlled as well. Access to the servers can be
controlled through the use of access control lists discussed elsewhere in this document or a
command line configuration command.
• The recommendation is that neither http nor https be enabled.
• This configuration has to do with https terminating on the router, not passing through it on
the data plane.
Finding it in the configuration:
RTR7200# show running-config | include http
no ip http server
ip http secure-server
Restrict Access to HTTPS:
•
Use local usernames for authentication:
RTR7200(config)# ip http authentication local
•
Use the enable secret password for authentication:
RTR7200(config)# ip http authentication enable
•
Use a configured method list to authenticate the user:
RTR7200(config)# ip http authentication aaa login-authentication <NAME>
(Refer to page 22 for discussions on method lists.)
Finding it in the configuration:
RTR7200# show running-config | include http
no ip http server
ip http secure-server
ip http authentication aaa login-authentication SDMACCESS
28 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Banners:
•
•
Banners are used to display short messages to users who connect to the router.
The commands listed here are all required. Each example shown here uses a different
character as the delimiter solely to illustrate that any character can be used.
(config)# banner
(config)# banner
(config)# banner
(config)# banner
•
•
•
•
incoming @ This is the INCOMING banner … @
motd % This is the MOTD banner … %
exec & This is the EXEC banner … &
login * This is the LOGIN banner … *
The incoming banner is used when the router receives an connection from a host on the
network – from an address within the interface address range.
The motd (message of the day) banner is displayed before any other banner.
The exec banner is displayed when the user has connected the the router.
The login banner is displayed after the user has authenticated.
Finding it in the configuration:
RTR7200# show running-config | include banner
banner incoming ^C This is the INCOMING banner … ^C
banner motd ^C This is the MOTD banner … ^C
banner exec ^C This is the EXEC banner … ^C
banner login ^C This is the LOGIN banner … ^C
•
Note that the delimiters are all converted to ^C (control-C) when displayed.
Logging
Command:
•
Logging is required. This command activates it. Different versions of the IOS may require
“on” while others require “enable”
Command:
•
logging <{ on | enable }>
no logging monitor
The ‘no’ version of this command insures that logging messages are not sent to an
alternate monitor connected to one of the terminal (vty) lines.
P a g e |29
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
To provide consistency in the generation of logging messages, a loopback interface ip
address should be used as the source for all logging from a particular device.
This command causes the ip address of loopback0 to be included in messages.
Command:
•
•
•
•
•
logging console <level>
Causes logging messages of severity level <level> to be sent to the console.
Recommended level is “critical” (2)
Levels are discussed on the next slide.
Command:
•
logging rate-limit console 3 except critical
Limits the number of messages which are displayed on the console to no more than 3
per second unless the message is critical (level 3) priority or higher.
The intent is to prevent logging messages from consuming an inordinate amount of
processing time resulting in an unstable router.
Command:
•
•
•
logging buffered <buffer_size> [level]
Sets aside an area in memory of size <buffer_size> (in bytes) for holding log messages of
severity <level> locally so they can be viewed by a logged-in level 15 user.
The minimum recommended <buffer_size> is 16000
Command:
•
logging [host] <ip_address_of_logging_host>
Sets the ip address of the logging server.
All generated syslog traffic is sent to this address.
Some versions of Cisco IOS require the [host] option.
Command:
•
logging source-interface loopback0
logging trap <level>
The logging trap command indicates what level snmp trap will generate a logging
message.
30 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
•
•
•
logging alarm <level>
Sets the severity level of alarms to be logged.
This is different from logging trap which deals only with snmp levels.
Levels are numbered from 0 to 7 and are named emergencies(0), alerts(1), critical(2),
errors(3), warnings(4), notifications(5), informational(6), and debugging(7).
Setting a specific level will cause the inclusion of that level and all levels of higher
severity (lower number).
What level is configured is a matter of local policy.
Finding it in the configuration:
RTR7200# show running-config | include logging
logging buffered 24000 informational
logging rate-limit console 3 except critical
logging console critical
no logging monitor
logging alarm major
logging trap debugging
logging source-interface Loopback0
logging 10.1.45.3
•
A very extensive and detailed logging report is available by executing show logging
Configuration File Management
Command:
•
The archiving of configuration files allows for the replacement and restoration of
configurations. Without a repository for configuration files, there would be no way to
restore a router to a previous, working, state.
Command:
•
logging enable
Causes logging messages to be generated for any configuration change executed from
EXEC mode.
Command:
•
archive
logging size <#>
Sets the maximum number of messages (1000 or less) retained in the log.
P a g e |31
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
Causes configuration change messages to be sent to a remote syslog server in addition
to being sent to the logging buffer
Command:
•
write-memory
Automatically create a backup any time the write memory command is issued.
Command:
•
path disk0:<filename>
Sets the path and location of the logging files. As new files are created, a sequential
number is added to the end of the file name entered here.
Command:
•
hidekeys
Do not include (hide) any keys or passwords in the log entries.
Command:
•
notify syslog contenttype plaintext
time-period <sec>
Sets the time period (seconds) to automatically save the current configuration.
Finding it in the configuration:
RTR7200# show running-config | section archive
archive
logging enable
logging size 150
notify syslog conetnttype plaintext
hidekeys
path disk0:backup-netman
write-memory
32 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Exclusive Configuration Access
Command:
•
•
configuration mode exclusive auto expire <sec>
When a user with privilege level 15 access enters configuration terminal mode, the
config file is locked, preventing others accessing it at the same time.
The lock will expire after <sec> seconds of inactivity.
Finding it in the configuration:
RTR7200# show running-config | configuration mode
configuration mode exclusive auto expire <sec>
Software Resilience
Command:
•
Makes a backup of the configuration file and stores it in persistent memory.
Command:
•
secure boot-config
secure boot-image
Moves the IOS image file to persistent memory.
Finding it in the configuration:
•
Neither of these commands is stored in the configuration file.
P a g e |33
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
SNMP
•
•
•
•
•
•
Simple Network Management Protocol is a very powerful network management protocol.
SNMP should be disabled unless it is absolutely required or mandated.
Whether or not to use it is a matter of local policy.
If the service provider is mandating the use of SNMP, it must be Version 3.
The following SNMP commands represent the basic configuration requirements for using
the protocol.
You should be provided with any additional configuration information you need by the
service provider.
Command:
•
•
snmp-server community <READONLY_STRING> ro <acl>
Sets <READONLY_STRING> as the password for read-only (ro) access to the
Management Information Base (MIB).
<acl> is an access list name or number containing ip addresses of hosts on the network
which are allowed to use this community string to access the MIB. It is required.
Finding it in the configuration:
RTR7200# show running-config | snmp-server community
snmp-server community ReadOnly RO ALLOWED_RO_SNMP
Command:
•
•
•
•
snmp-server community <READWRITE_STRING> rw <acl>
Sets <READWRITE_STRING> as the password for read-write (rw) access to the
Management Information Base (MIB).
<acl> is an access list name or number containing ip addresses of hosts on the network
which are allowed to use this community string to access the MIB.
Normally, a readwrite community string is not in the configuration.
Whether or not this community string is set is a matter of policy.
Finding it in the configuration:
RTR7200# show running-config | snmp-server community
snmp-server community ReadOnly RW ALLOWED_RW_SNMP
34 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
snmp-server enable traps <trap_type>
trap_type is is a matter of local policy
Traps are not allowed unless a server is also configured to receive them (next section).
Finding it in the configuration:
RTR7200# show running-config | include snmp-server enable traps
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
/- outut omitted -/
snmp-server enable traps voice
snmp-server enable traps dnis
Command:
•
•
•
snmp-server host <host_ip | host_name> <options>
snmp-server host http://{host_ip | host_name} [:<port][/<url>] <options>
Identifies the snmp server.
Inclusion of additional options is a matter of local policy as well as other configuration items
located elsewhere in the configuration file.
Finding it in the configuration:
RTR7200# show running-config | include snmp-server host
snmp-server host 10.1.55.32 version 3 priv SNMP_USER
Command:
•
•
snmp-server group <GROUP_NAME> v3 priv
If snmp is to be used, it should be version 3.
To ensure that traffic is protected in transit, version 3 groups should be configured with the
“priv” option indicating that traffic be encrypted.
Finding it in the configuration:
RTR7200# show running-config | include snmp-server group
snmp-server group v3Group2 v3 priv
P a g e |35
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
snmp-server user <NAME> <GROUP_NAME> v3 auth sha <authentication_password>
priv aes <aes_size> <private_password> <acl_name_or_number>
Minimum recommended aes_size (symmetric encryption algorithm) is 128
This command, in conjunction with the snmp-server group command, provides this USER
with privacy encryption.
Finding it in the configuration:
RTR7200# show running-config | include snmp-server user
snmp-server user SNMP_USER v3Group2 v3
Time
Command:
•
•
•
•
service timestamps < debug | log > < datetime | uptime >
[show-timezone] [localtime] [msec] [year]
Configures timestamps for both debug and log messages
Use either the real date & time <datetime> or time since the router was last
restarted/reloaded <uptime> in seconds
Optionally add time zone, local time, and current year
Include millisecond timing in each message <msec>
Finding it in the configuration:
RTR7200# show running-config | include service timestamps
service timestamps debug …
service timestamps log …
Command:
•
clock timezone GMT < [ + | - ] hours>
Sets the onboard clock to the correct timezone (GMT +/- a fixed number of hours)
Finding it in the configuration:
RTR7200# show running-config | include clock timezone
clock timezone GMT 5
36 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
clock summer-time zone recurring [week day month hh:mm][week day month hh:mm]
Sets the absolute start and stop time for summer time in your time zone.
There are other formats for this command; however, it is only the summer-time
configuration you’re concerned with. If the command is set, that’s good enough.
Finding it in the configuration:
RTR7200# show running-config | include clock summer-time
clock summer-time zone … … …
Network Timing Protocol (NTP)
Command:
•
•
ntp authenticate
Activates the ntp authentication procedure.
Note that it is the server being authenticated, not the router.
Finding it in the configuration:
RTR7200# show running-config | include ntp authenticate
ntp authenticate
Command:
•
•
ntp authentication-key <id#> md5 <key>
establishes the key to use for authenticating the ntp server
The key is hashed using the MD5 (128-bit) hashing algorithm (currently the only option
on a Cisco router).
Finding it in the configuration:
RTR7200# show running-config | include ntp authentication
ntp authentication
P a g e |37
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
ntp trusted-key <id#>
Sets the key identified with id# as a trusted key, meaning that any external ntp server
that uses this key can be used to synchronize the router’s time.
The previous command establishes the key and the cryptotype (md5) and this command
designates it as trusted.
Finding it in the configuration:
RTR7200# show running-config | include ntp trusted
ntp trusted-key 1
Command:
•
•
ntp access-group [peer | query-only | serve | serve-only] [acl# | aclNAME]
This access group should be configured.
The four options peer, query-only, etc. are a matter of local policy.
Finding it in the configuration:
RTR7200# show running-config | include ntp access
ntp access-group query-only 14
RTR7200# show running-config | include access-list 14
Standard IP access list 14
10 permit 10.10.20.3
Command:
•
ntp update-calendar
Synchronizes the hardware clock on the router with the external time source
Finding it in the configuration:
RTR7200# show running-config | include ntp update
ntp update-calendar
38 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Command:
•
•
•
•
•
•
ntp server < ip_address | name > [key <#> | prefer | source <int> | ver <#>]
Sets the ip address of the external time server.
There should be two ntp servers defined.
The key keyword is followed by the key number used to authentice this server
prefer means that this server is prefered over any others
The source keyword is followed by an interface name. It will cause ntp to use the ip
address of the designated interface for interactions with this specific server. It takes
precedence over the global ntp source <int> command.
version is followed by either 1, 2, or 3
Finding it in the configuration:
RTR7200# show running-config | include ntp server
ntp server 216.119.69.113 key 1 prefer source Loopback0 ver 3
Command:
•
ntp source <int>
NTP will use the ip address assigned to the interface <int> in all messages sent to all
destinations
Finding it in the configuration:
RTR7200# show running-config | include ntp source
ntp source Loopback0
Interfaces
Auxillary Line (aux):
•
no exec
• disables all incoming connections
•
transport input none
• prevents a protocol selection
Finding it in the configuration:
RTR7200# show running-config | section line aux
P a g e |39
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
Console Line (con0):
•
login authentication < default | aaa_list >
• forces aaa authentication
•
exec-timeout <min> [<sec>]
• sets an inactivity timeout for the console
•
Unlike the vty lines (next section), which are accessible from across the network, the
console port is accessible only through physical access. Because of this, configured
security for it is less than for the vty lines.
Finding it in the configuration:
RTR7200# show running-config | section line con
Virtual Terminal Lines (vty):
•
login authentication < default | aaa_list >
• forces aaa authentication
•
exec-timeout <min> [<sec>]
• sets an inactivity timeout for the console
•
transport input ssh
• SSH must be used to connect to the line
•
access-class <acl_VTY_ACCESS> in
• contains authorized ip addresses
Finding it in the configuration:
RTR7200# show running-config | section line vty
Interface Configuration Commands:
•
ip access-group <acl_INGRESS> in
Applies an in-bound access list
•
ip access-group <acl_EGRESS> out
Applies an out-bound access list
•
no ip directed-broadcast
• This is the default in modern Cisco IOS and does not appear in the config file.
• In legacy IOS, this command shoud be included on every interface.
40 |P a g e
Baseline Audit for Cisco Routers
6 May 2012, Version 6.0
•
no cdp enable
• Even though already globally disabled (no cdp run), disabling cdp on each individual
interface is a good idea.
•
no ip mroute-cache
• IP mroute caching configures fast-switching of multicast traffic.
• Unless specifically required, it should be disabled
• mroute caching is not available in all version of Cisco IOS.
•
ip verify unicast reverse-path
• Causes the router to examine every packet received on the interface to make sure
that the source address appears in the routing table and matches the interface on
which the packet was received.
• This capability relies on the Forwarding Information Base (FIB) created by the CEF
command.
•
no ip redirects
• An ICMP message used to inform the sending device that a better route exists than
the one used. A hacker could use this capability to cause a host to redirect its traffic
to the hacker rather than the proper gateway.
•
no ip unreachables
• no ip unreachables – Also an ICMP message, this is usually disabled to prevent its
being used in a denial of service (DOS) attack. The router could be flooded with
improperly crafted packets, causing it to send an unreachable response to each. This
could prevent the router from routing legitimate traffic.
•
no ip proxy-arp
• Normally, a Cisco router can “stand-in” for a host connected to it by using Proxy ARP
wherein the router responds to arp requests as if it were actually the host.
• This is done in the interest of speed as well as ease of configuration on the host.
• It is disabled to prevent a host from identifying itself as another host, thus causing
the router to forward another hosts’s traffic to it.
•
Finding it in the configuration:
RTR7200# show running-config | section interface fastethernet0/1
RTR7200# show running-config | section interface serial1/1
P a g e |41
