Version 0.02 Cisco Route-Switch Security Audit (RSSA) pg. 1 Not all options discussed are available under all versions of the various Cisco operating systems. Before attempting to determine the security posture of a Cisco device, research should be conducted on the capabilities of the IOS installed using the Cisco Feature Navigator or similar Cisco-provided tool. There are as many ways to secure networking devices as there are devices. It is technically and tactically impossible to spell out exactly what needs to be done to determine whether or not a generic device is securely configured. What follows is a compilation of recommendations from over a dozen sources. Generally, the commands illustrated here should suffice to secure any network device in isolation. Once the device is incorporated into a viable network, modifications will probably be necessary. Cisco equipment, like most networking equipment, functions at three distinct operational planes: management, control, and data. Each plane has different security requirements and is configured using a unique set of security commands. This document attempts to group the various commands into categories under each of the three planes of operation. Each plane affects the other two. Should either the control plane or management plane be compromised, the other, in addition to the data plane, will be adversely affected. It is therefore vitally important that each plane be vigorously safeguarded against attack. The best known auditing tool for Cisco routers is the router audit tool, or RAT. Developed by the Center for Internet Security (CIS), it was written to help audit configurations on Cisco routers. It does not work on switches, firewalls, or other Cisco devices. It does this by applying baseline tests against the running configuration loaded on the router. A more detailed description is provided by the rat.txt file from version 2.4.1: “rat audits router configurations. If you have already downloaded the [router] configuration files by some other means, you may specify the path to those files on the command line. Alternately, with the use of the --snarf switch, rat will log into the routers specified (you have to provide login info), pull down the configurations, audit them against a set of rules and produces several output files for each router. One is a passwd style file listing all rules, pass/fail and other info. Two is a simple text-based report. Three is a ‘fix’ file suitable for cut-and-paste into config mode to fix the problems identified. Four is an HTML version of the report.” Management Plane 1. Configuration Management A. Configuration file archive: archive path flash:backup-config maximum 10 time-period 1440 write-memory This configuration instructs the IOS to create up to 10 backup configuration files (also referred to as archived configs) named backup-config-N, where N is the number of the backup, on the disk0: file system; to create a new backup once a day (1440 minutes); and to create a new backup whenever the write memory command is issued. B. Configuration change log: archive log config logging enable logging size 150 hidekeys notify syslog Part of the archive configuration, this series of commands creates logs entries containing data on configuration changes. The log entries contain identification of the user who made the change, Version 0.02 Cisco Route-Switch Security Audit (RSSA) pg. 2 what command was entered along with the time it was executed. The hidekeys option prevents the logging of passwords, and notify syslog generates a syslog entry. To view the log entries, use show archive log config all. C. Rolling back configuration files: configure replace <filesystem>:<filename> replaces the running configuration file with one named <filename> located on <filesystem> For example: configure replace flash:backup-config-7 replaces the running-config with one named backup-config-7 stored on the disk0: file system. show archive lists backup files contained in the file systems D. Exclusive Configuration Change Access: configuration mode exclusive auto automatically locks the configuration as soon as an administrator issues the configure terminal exec level command; configuration mode exclusive manual allows the administrator to use the configure terminal lock command to gain exclusive access to the configuration file. E. Resilient Configuration: secure boot-image securely stores the IOS currently in use; secure boot-config securely stores a copy of the configuration file; show secure boot displays the current running state of the resilient configuration. 2. Access A. Accessing the management plane should be accomplished through the use of a loopback interface. Loopback interfaces never go down. As long as the administrator has access to the IOS through any physical interface on the device, a connection can be established with the loopback. interface loopback <number> B. exec, login, and motd banners must be set. In the output of the show run command: banner [ exec | login | motd ] ^C BANNER TEXT ^C C. Typically, line connections (vty, tty, & console) time out after ten minutes of inactivity. line [ vty | con | tty ] exec-timeout <minutes> [seconds] A setting of 0 (zero) for <minutes> disables this feature. A timeout of 10 minutes is the default setting and will not show up in the configuration file. D. The auxillary port (aux) should be disabled: line aux 0 no exec transport input none E. Access to the lines must be limited to only authorized ip address[es]: ip access-list <#> permit tcp [ ip_address_+_ mask | host ip_address ] any ip access-list <#> deny ip any any line [ vty | con | tty ] [ beg# end# ] (config-line)#access-class <#> in F. Telnet/SSH/SCP – Secure Copy (SCP) is part of the Secure Shell (SSH) package. Activating SSH requires a series of commands: Version 0.02 Cisco Route-Switch Security Audit (RSSA) hostname <hostname> ip domain-name <domain.name> crypto key generate rsa ip ssh version 2 ip ssh time-out 60 ip ssh authentication retries 2 line vty 0 4 pg. 3 activates ssh should be set to version 2 default is 120 seconds allowed login attempts (config-line)#transport input ssh (activate for all 5 vty lines) (forces ssh connections; telnet no longer allowed) ip scp server enable (activates the secure copy server) G. HTTP/HTTPS – Cisco devices provide a web-based interface for displaying configuration information and, alternatively, configuring it. Routers and firewalls provide actual web-based device management applications such as the Secure Device Manager and Adaptive Security Device Manager. To insure that configuration information is not exposed to malicious users, the secure http server should be used. Typically, on Cisco routers: no ip http server ip http secure-server turns off the unsecure http server turns on the secure server The http server(s) provide access to the management plane, access to the http server(s) must be controlled as well. Access to the servers can be controlled through the use of access control lists discussed elsewhere in this document or a command line configuration command. The format of these commands is dependent on the device. Typically, the command would be one of the following: ip http authentication local ip http authentication aaa uses the local database uses AAA authentication Some form of the command ip http authentication <option> should exist. H. FTP/TFTP: 1) Cisco recommends that the ftp server on its devices be disabled unless necessary for a specific purpose. The ftp server is disabled by default and has been removed in newer versions of the IOS. Secure Copy (SCP) should be used in its place. The command ftp server enable activates the ftp server on versions of the IOS that still support it. 2) In older versions of Cisco IOS, the tftp server can be configured with multiple lines. If there are lines in the configuration file beginning with tftp-server, every line needs to be removed using the [no] version of the command. The tftp server is disabled by default and has been removed from newer versions of the IOS. 3. Authentication A. Local 1) username <name> privilege <level> secret <password> – creates a local user named <name> who has exec <level> privileges and an MD5-hashed <password>. The first execution of this command creates a local database on the device. Subsequent executions add new users to this database. 2) Local users should have only minimal privilege level access. Users at level 1 (one) have very basic access, while those at level 15 have unlimited access. Standard Operating Procedures (SOP) should include guidelines for specific assignment of levels of access. Version 0.02 Cisco Route-Switch Security Audit (RSSA) pg. 4 3) login local – when configured on an interface, causes the IOS to use one of the user accounts stored in the local database. 4) Password retry lockout – using AAA (see next section), it is possible to lockout a local user account after a specific number of failed password attempts. aaa local authentication attempts max-fail <max-attempts> Once locked out, an account remains locked out until a user with level 15 access unlocks it. It is not possible for level 15 users to lock out themselves. B. Authentication, Authorization, and Accounting (AAA) 1) AAA should be configured. The first step is to activate it: aaa new-model 2) AAA authentication is enforced through the use of method lists. These are collections of procedures, or “methods”, which will be used in sequence to authenticate logins. 3) aaa accounting aaa attribute aaa authentication aaa authorization cache configuration dnis group local max-sessions memory nas new-model pod policy route server session-id session-mib traceback user accounting configuration parameters AAA attribute definitions authentication configuration parameters authorization configuration parameters AAA cache definitions Authorization configuration parameters Associate certain AAA parameters to a specific DNIS number AAA group definitions AAA local method options Adjust initial hash size for estimated max sessions AAA memory parameters NAS specific configuration enable NEW access control commands & functions POD processing AAA policy parameters static route downloading local AAA server AAA Session ID AAA session MIB options traceback recording AAA user definitions 4) Authentication arap attempts banner dot1x enable eou fail-message login password-prompt ppp sgbp set authentication list for arap set maximum number of authentication attempts message to use when starting login or authentication set authentication lists for IEEE 80-2.1x set authentication list for enable set authentication list for EAPoUDP message to display for failed login or authentication set authentication lists for logins text to use when prompting for a password set authentication lists for ppp set authentication lists for sgbp Version 0.02 suppress username-prompt Cisco Route-Switch Security Audit (RSSA) pg. 5 do not send access request for a specific type of user text to use when prompting for a username 5) TACACS+ 6) RADIUS C. Passwords – When MD5 is used to hash a password, the resulting hash value replaces the plaintext password in the configuration file. When a user enters a password, it is hashed and the resulting hash value is compared to the one stored in the configuration. When examining the configuration file, the user will see only the hash values, not the passwords. 1) enable secret – sets the password for privileged exec mode and hashes the password using the MD5 hashing algorithm. The enable password command uses a proprietary encryption algorithm which provides no security and should not be used. 2) service password encryption – causes passwords on the device to be encrypted using a proprietary encryption based on a simple Vigenére cipher. Its purpose is to prevent the casual observation of the passwords, not to secure them. 3) no service password-recovery – prevents anyone with console access from insecurely accessing the device configuration and clearing the password; it prevents users from changing configuration register values to allow NVRAM access. 4) username <name> secret <password> – using the secret keyword in the username command causes the user’s password to be hashed using MD5 5) Although line passwords become superfluous when local authentication or AAA is configured, they should still be set to guarantee some level of access control. line [ vty | con | tty ] [ beg# end# ] password <strong_password> 6) Password retry lockout is enabled using the AAA feature. It is discussed under the local authentication section. 4. Logging/Monitoring A. Syslog – Syslog entries should be directed to a syslog server. There are several options available from the command line. 1) To activate the logging function: logging on 2) To send syslog traffic to a remote host: logging [host] <server_ip_address> (some IOS require the use of the host keyword) 3) To temporarily store syslog messages in memory: logging buffered <buffer_size> <trap_level> (see 5 below for trap description) 4) Newer IOS support writing syslog traffic to persistent memory. Using this method allows the administrator to copy the buffered syslogs to a remote ftp server. Assuming there is an ATA flash disk on the router, the following commands can be used: logging buffered logging persistent url disk0:/<filename> size <max_memory> filesize <max_filesize> Version 0.02 Cisco Route-Switch Security Audit (RSSA) pg. 6 5) There are 8 levels of logging available. Setting a specific level with the logging trap <#> command causes log messages at or below that level to be generated. The levels are numbered 0 through 7. Setting the trap level to 7 can cause excessive cpu load which can lead to network instability. logging trap 6 logging buffered 6 logs all messages from levels 0 thru 6 used for buffered syslog traffic The textual definition of the level can be used in lieu of the number. For example, the command logging trap informational is equivalent to logging trap 6. 6) To avoid excessive cpu load, logging messages should not be sent to either the console or to a vty line being used as a monitor. Ensure that these options are disabled. no logging console no logging monitor 7) The management loopback interface address should be used as a tag for all syslog traffic. Using the same interface configured for management (see 2.A. above) will provide a consistent method of identifying the source of the traffic. logging source-interface loopback 0 8) Assuming NTP (see D. below) is configured on each device, the following logging configuration will assure that all syslog traffic is time-stamped consistently to the millisecond. Consistent time-stamping is absolutely essential in event correlation. service timestamps log datetime msec show-timezone localtime B. Simple Network Management Protocol (snmp): 1) If snmp is not to be used, disable the server: no snmp-server 2) Community Strings: snmp is protected through the use of two passwords called community strings. One community string is used to allow read-only access to attributes in the Management Information Base (MIB) for the device, while the other is used to allow write access to the same attributes. The two community strings must be different to provide adequate security. Additionally, best practices dictate that they be carefully chosen, changed often, and constructed of complex character sequences. snmp-server community <read_only_password> RO snmp-server community <read_write_password> RW 3) The default community strings for snmp are “public” for RO access and “private” for RW access. If snmp is enabled, these strings must not be active. Make sure they are set as above. 4) Access to snmp can be controlled through the use of a standard access control list. If, for example, we wanted only a single network management station (NMS) to have read-write access to snmp, we would first create an access list and then apply it to the server command. A second access list could be applied to the read-only setting to allow all other stations in the LAN access to it. access-list 14 permit 192.168.5.12 access-list 15 permit 192.168.5.0 0.0.0.255 snmp-server community <read_only_community_string> RO 15 snmp-server community <read_write_community_string > RW 14 5) snmp can submit traps. Traps are alerts that are generated by many different subsystems on the router. Activate traps with the following Version 0.02 Cisco Route-Switch Security Audit (RSSA) pg. 7 snmp-server enable traps snmp [authentication][linkup][linkdown][coldstart][warmstart] If active, traps should be sent to a specific snmp server. snmp-server host <ip_address> <trap_community_string> If traps are not in use, they should be disabled: no snmp-server enable traps 6) snmp Views: A complete understanding of snmp views requires a thorough understanding of the MIB. A MIB is divided into categories of attributes, some of which are internet, directory, mgmt, and system. To limit everyone in the network described in 2 above to only the directory group of the mib, you would create a view and then assign a community string and access list to it. snmp-server view DIRECTORY_ONLY directory include snmp-server community <directory_only_community_string> DIRECTORY_ONLY 7) For snmp3, encryption and authentication of messages must be enforced. The first step in that process is to force privacy for every snmp3 group: snmp-server group <group_name> v3 priv The next step is to configure encryption and authentication: snmp-server user <user_name> <group_name> v3 auth sha <auth_password> priv aes 256 <priv_password> access <acl_name_or_number> C. Netflow – D. Network Timing Protocol (NTP) 1) To configure authentication for ntp: ntp authenticate 2) To configure an authentication key for use in synchronizing with other devices: ntp authentication-key <number> md5 <value> <number> can be any number from 1 to 4294967295. The md5 keyword indicates that the md5 hashing algorithm should be used to has the <value> which is an arbitrary string of up to 8 characters. 3) To restrict which remote devices are allowed to interact with the ntp service on the device, use the ntp access-group command. Proper use of this command is determined by the network in which the device is connected. If the command is used, the correct format is: ntp access-group <query-only | serve-only | serve | peer> <access_list_number> query-only serve-only serve peer allows ntp control queries allows only time requests time requests & control queries time requests, control queries, synchronize with remote system 5. Disabling unused services. A. Small tcp and udp services can be used for denial of service attacks. Cisco recommends that these services be disabled, which they are in newer IOSs. In older IOSs, turn them off using the no Version 0.02 Cisco Route-Switch Security Audit (RSSA) pg. 8 service tcp-small-servers and no service udp-small-servers commands. Services effected by these commands include echo (port 7), discard (port 9), daytime (port 13), and chargen (port 19). B. Other services should be disabled individually: 1) no ip finger – The finger command is used to list all currently logged-in users. 2) no ip bootp server – Bootp could allow a malicious user to obtain an IP address. 3) no ip directed-broadcast – Directed broadcasts are used by the Smurf attack. On newer IOSs, it is disabled by default. It should not be enabled unless specifically required. 4) no ip source-route – IP source routing allows the originator of an IP packet to dictate the path the packet should take to its destination. It is disabled by default. It should only be enabled if it is specifically required. 5) no ip unreachables – ICMP unreachable messages can be used to map out the network topology. It is disabled by default. It should only be enabled if specifically required. 6) ip dhcp bootp ignore – DHCP can respond to bootp requests. Issuing this command sets the dhcp server to ignore all bootp requests and respond only to dhcp requests. 7) no service dhcp – DHCP could allow a malicious user to obtain an IP address. 8) no mop enabled – The Maintenance Operation Protocol (mop) is used for uploading and downloading system software and remote testing. Odds are it isn’t necessary. 9) no ip domain-lookup – If DNS is not implemented in your network, you should disable it on your network devices. 10) no service pad – The packet assembler/disassembler is a service used by X.25 networks. 11) no ip http server – Cisco devices can be accessed by an imbedded webpage or device manager. If it is necessary to allow http access, use the ip http secure-server command to provide https access. 12) no ip http secure-server – If not needed, turn off the secure server as well. 13) no service config – Unless configuration files are being downloaded over the network, the config service is not required. 6. Discovery A. Cisco Discovery Protocol (cdp) – cdp is not secure. It should not be used on any interface which faces an untrusted area. 1) no cdp enable – disables cdp on an individual interface; must be entered in interface configuration mode 2) no cdp run – disable cdp globally; must be entered in global configuration mode B. Link Layer Discovery Protocol (lldp) – Configure lldp using the same parameters as cdp. 1) no lldp transmit & no lldp receive – interface configuration mode 2) no lldp run global – global configuration mode 7. service tcp-keepalive-[ in | out ] – To ensure that tcp connections with remote devices remain viable, keepalive messages must be sent on both inbound and outbound links. Version 0.02 Control Plane Data Plane Cisco Route-Switch Security Audit (RSSA) pg. 9