Add to collection(s) Add to saved
  1. No category
Uploaded by valnyenty

Router Security Baseline Configuration Guide

advertisement 
Router Security Baseline
configurations:
! ## Configure Host Name
!
Hostname Router1
!
! ## Configure domain Name
!
ip domain name istconsulting-cam.com
!
!## Generate RSA Key. Use key size of 4096. Minimum should be 2048.
!
Crypto key generate rsa mod 4096
!
!## Configure AAA, Tacacs+ group and tacacs+ source interface and Tacacs+ key
!## It is preferred to use a loopback interface (Loopback0) as tacacs source.
!
!
aaa new-model
aaa session-id common
!
!
aaa group server tacacs+ gns3group
server name tacacsgui
!
tacacs server tacacsgui
address ipv4 192.168.1.1
key TACKEY1
!
ip tacacs source-interface loopback 0
!
!
! ## Configure Authentication, authorization and accounting defaults. Applicable to all management
!## interfaces.
!
aaa authentication login default group gns3group local
aaa authentication enable default group gns3group enable
aaa authorization console
aaa authorization exec default group gns3group local
aaa authorization commands 1 default group gns3group local
aaa authorization commands 15 default group gns3group local
aaa accounting exec default start-stop group gns3group
aaa accounting commands 1 default start-stop group gns3group
aaa accounting commands 15 default start-stop group gns3group
aaa accounting system default start-stop group gns3group
!
!## configure access list for SSH access
!
ip access-list extended SSH-ACCESS
permit tcp 192.168.31.0 0.0.0.255 any eq 22
deny ip any any log
!
!## Configure username for fall back if Tacacs+ server is not available (Password of Last resort- POLR)
!
username admin privilege 1 secret fallbackpasswd
!
!
!## configure SSH global parameters . Use next generation cryptographic, hash and key management
!## parameters
!
crypto key generate rsa label SSH-KEY modulus 4096
ip ssh rsa keypair-name SSH-KEY
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm mac hmac-sha1
ip ssh maxstartups 3
ip ssh time-out 60
ip ssh version 2
ip ssh dh min size 4096
ip ssh authentication-retries 2
ip ssh logging events
!
!## Configure VTY Lines
!
line vty 0 4
login authentication default
session-timeout 10
access-class SSH-ACCESS in
transport input ssh
transport output ssh
transport preferred none
exec-timeout 10
!
!## Configure Line AUX
!
line aux 0
login authentication default
no password
no exec
exec-timeout 10
transport output none
privilege level 0
!
!## Configure console
!
line con 0
login authentication default
session-timeout 10
transport preferred none
transport output none
exec-timeout 10
!
!## Disable HTTP and HTTPs
!
no ip http server
no ip http secure-server
!
! ## Configure SNMP V3
!
!
!
ip access-list standard SNMP-MANAGER-NET
permit 192.168.31.0 0.0.0.255
exit
!
snmp-server trap-source Loopback0
snmp-server location '{"city": "Douala", "zip": "24112", "site": "SODIKO-Bonaberi","st": "LT", "bu": "ISTCONSULTING-CAM", "addr1": "Behind Fokou"}'
snmp-server contact Valantine Nyenty
snmp-server chassis-id HP_LAPTOP
!
snmp-server ifindex persist
!
snmp-server view snmp-read-only iso included
snmp-server view snmp-read-only internet included
snmp-server view snmp-read-only at excluded
snmp-server view snmp-read-only ip.21 excluded
snmp-server view snmp-read-only ip.22 excluded
!
snmp-server group gns3-snmp-group v3 priv read snmp-read-only access SNMP-MANAGER-NET
!
snmp-server user snmpuser1 gns3-snmp-group v3 auth sha snmpuser1pw pri aes 256 snmpuser1pw
!
snmp-server host 192.168.31.2 version 3 priv snmpuser1
!
snmp-server enable traps snmp authentication linkdown linkup
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps cpu threshold
!
! ## configure banners
!
banner exec #
********************************************************************************
*
ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL
*
*
*
* IST CONSULTING owns and maintains this computer system. Your use of this *
* and other IST CONSULTING computer systems signifies your agreement that you *
* will use the systems for business purposes only in accordance with
*
* IST CONSULTING policies and standards. Except as otherwise provided by *
* applicable law, your use of those systems is not covered by any right
*
* of privacy. IST CONSULTING from time to time monitors the use of its
*
* systems to detect security problems, improper uses of the systems and
*
* for other purposes, all as permitted by law. Your use of IST CONSULTING *
* systems, including your e-mail messages, may become public outside of
*
* IST CONSULTING for unanticipated reasons such as litigation involving
*
* IST CONSULTING.
*
*
*
********************************************************************************
#
!
!
banner login #
********************************************************************************
*
ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL
*
*
*
* IST CONSULTING owns and maintains this computer system. Your use of this *
* and other IST CONSULTING computer systems signifies your agreement that you *
* will use the systems for business purposes only in accordance with
*
* IST CONSULTING policies and standards. Except as otherwise provided by *
* applicable law, your use of those systems is not covered by any right
*
* of privacy. IST CONSULTING from time to time monitors the use of its
*
* systems to detect security problems, improper uses of the systems and
*
* for other purposes, all as permitted by law. Your use of IST CONSULTING *
* systems, including your e-mail messages, may become public outside of
*
* IST CONSULTING for unanticipated reasons such as litigation involving
*
* IST CONSULTING.
*
*
*
********************************************************************************
#
!
!
banner motd #
********************************************************************************
*
ACCESS IS RESTRICTED TO AUTHORIZED PERSONNEL
*
*
*
* IST CONSULTING owns and maintains this computer system. Your use of this *
* and other IST CONSULTING computer systems signifies your agreement that you *
* will use the systems for business purposes only in accordance with
*
* IST CONSULTING policies and standards. Except as otherwise provided by *
* applicable law, your use of those systems is not covered by any right
*
* of privacy. IST CONSULTING from time to time monitors the use of its
*
* systems to detect security problems, improper uses of the systems and
*
* for other purposes, all as permitted by law. Your use of IST CONSULTING *
* systems, including your e-mail messages, may become public outside of
*
* IST CONSULTING for unanticipated reasons such as litigation involving
*
* IST CONSULTING.
*
*
*
********************************************************************************
#
!
!
!
!! Configure Time zone
!
clock timezone WAT 1
!
!
!! Configure NTP
!
!! Configure router as NTP Server
!
!
ip access-list extended NTP-CLIENTS
permit ip 10.200.200.0 0.0.0.255 10.200.200.0 0.0.0.255
!
ntp authentication-key 10 md5 <ntp-key-10>
ntp authenticate
ntp trusted-key 10
ntp source Loopback0
ntp access-group serve-only NTP-CLIENTS
ntp master 3
ntp update-calendar
!
!! Configure NTP Client
!
ntp authentication-key 10 md5 ntp-key-10
ntp authenticate
ntp trusted-key 10
ntp source Loopback0
ntp server 10.200.200.1 prefer source Loopback0
!
!! Configure Logging
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
!
logging on
logging facility syslog
logging source-interface Loopback0
logging host 192.168.31.2
logging trap informational
logging buffered 64000 debugging
logging rate-limit all 100 except critical
logging console critical
!
!! Enable local passwords encryption
!
service password-encryption
!
!! Disable unnecessary services
!
!
!! BOOTP, IP Source Routing, PAD Disable global service on ALL ROUTERS
!
no ip bootp server
no ip source-route
no service pad
!
! ! Global Services disabled by default (all routers)
!
no service finger
no ip identd
no service tcp-small-servers
no service udp-small-servers
!
! Disable CDP, MOP, IP Redirects on EXTERNAL facing interfaces
!
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx
no cdp enable
no mop enabled
no ip directed-broadcast
!
! Disable MOP, IP Redirects on ACCESS interfaces
!
interface FastEthernet2/0
no ip redirects
no ip proxy-arp
ip verify unicast source reachable-via rx
no mop enabled
!
!! Change the privilege level of some default commands
!
privilege exec level 10 reload
privilege exec level 10 show ip route
privilege exec all level 10 show ip interface
privilege exec level 15 clear counters
!
!! Log Logging success and failure. Block for 30 minutes when five attempts exceeded
!! delay between login attempts, configure exception for legitimate management stations
!
login block-for 1500 attempts 5 within 180
login on-failure log
login on-success log
login delay 10
access-list 10 permit 192.168.31.0
login quiet-mode access-class 10
!
!!! Secure backup configuration
! ! The path is where the archiving will save the configs to.
! ! The string will also hold the credentials
! ! example string:
!! path scp://<username>:<password>@<linux_machine>://<path_on_linux_machine>
! ! add command logging for the last 200 commands with passwords hidden
!!
!! Note : SSH Must be setup and working correctly. SCP server must be setup and IP connectivity tested.
!! user created in SCP server (Username : scpadmin, Password: scppw)
Line vty 0 4
Transport output ssh
!
!
Archive
path scp://scpadmin:scppw@192.168.31.2/$h/$h-$t
wr
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
! ! To Manually save the configuration, issue command “archive config “ on privilege exec mode.
!
!! To automatically save the config, use one of the following.
! method 1 – use Kron (preferred method)
! ! Configure kron : Start in privileged mode
!
! create the policy with two commands
kron policy-list Config_Backup
cli write memory
cli archive config
!
!! Create occurrence
!
!
kron occurrence weekly at 23:50 Sat recurring
kron policy-list Config_Backup
!
!! Second method. Use time-period (Minutes) in archive configuration
!
archive
path scp://scpadmin:scppw@192.168.31.2/$h/$h-$t
write-memory
time-period 10080
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
!
!
! configure TCP keepalive to detect crashed sessions and close them.
!
service tcp-keepalives-in
service tcp-keepalives-out
!
!!!! Configure source interfaces to loopback 0
!
ip ssh source-interface loopback 0
ntp source Loopback 0
ip tacacs source-interface Loopback0
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
logging source-interface Loopback 0
!!!
!!!
!!!Configure control plane policing and Control Plane protection
!!
ip access-list extended coppacl-bgp
remark BGP traffic class
permit tcp 192.168.31.0 0.0.0.15 host 192.168.31.4 eq bgp
permit tcp 192.168.31.0 0.0.0.15 eq bgp host 192.168.31.4
!
!
ip access-list extended coppacl-igp
remark IGP (EIGRP)
permit eigrp any any
!
!
ip access-list extended coppacl-interactivemanagement
remark CoPP interactive management traffic class
! permit return traffic from TACACS+ Servers (loopback interfaces used as source)
permit tcp host 192.168.1.1 host 10.200.200.1 established
! SSH & SCP access to the router from a subnet
permit tcp 192.168.31.0 0.0.0.255 host 10.200.200.1 eq 22
! SNMP access from the management segment to the router
permit udp 192.168.31.0 0.0.0.255 host 10.200.200.1 eq snmp
! Allow the router to receive NTP packets from a known clock sources
permit udp 10.200.200.0 0.0.0.255 host 10.200.200.1 eq ntp
permit udp host 10.200.200.1 eq ntp 10.200.200.0 0.0.0.255
!
permit udp host 192.168.31.2 host 10.200.200.1 eq 514
permit udp host 10.200.200.1 host 192.168.31.2 eq 514
!
!
ip access-list extended coppacl-filemanagement
remark CoPP file management traffic class
! Allow router initiated FTP (active and passive)
permit tcp 192.168.31.0 0.0.0.255 eq 21 host 10.200.200.1 gt 1023 established
permit tcp 192.168.31.0 0.0.0.255 eq 20 host 10.200.200.1 gt 1023
permit tcp 192.168.31.0 0.0.0.255 gt 1023 host 10.200.200.1 gt 1023 established
! Allow router initiated TFTP
permit udp 192.168.31.0 0.0.0.255 gt 1023 host 10.200.200.1 gt 1023
!
!
ip access-list extended coppacl-reporting
remark CoPP reporting traffic class
! permit SAA generated ICMP requests from SAA source routers
permit icmp 10.200.200.0 0.0.0.255 host 10.200.200.1 echo
permit icmp 10.200.200.0 0.0.0.255 host 10.200.200.1 echo-reply
permit icmp 192.168.0.0 0.0.127.255 host 10.200.200.1 echo
permit icmp 192.168.0.0 0.0.127.255 host 10.200.200.1 echo-reply
!
!
ip access-list extended coppacl-monitoring
remark CoPP monitoring traffic class
! permit router originated traceroute
permit icmp 192.168.0.0 0.0.127.255 host 10.200.200.1 ttl-exceeded
permit icmp 192.168.0.0 0.0.127.255 host 10.200.200.1 port-unreachable
permit icmp 192.168.0.0 0.0.127.255 host 192.168.31.4 ttl-exceeded
permit icmp 192.168.0.0 0.0.127.255 host 192.168.31.4 port-unreachable
permit icmp 192.168.0.0 0.0.127.255 host 192.168.2.254 ttl-exceeded
permit icmp 192.168.0.0 0.0.127.255 host 192.168.2.254 port-unreachable
permit icmp 192.168.0.0 0.0.127.255 host 192.168.0.254 ttl-exceeded
permit icmp 192.168.0.0 0.0.127.255 host 192.168.0.254 port-unreachable
permit icmp 192.168.0.0 0.0.127.255 host 192.168.4.254 ttl-exceeded
permit icmp 192.168.0.0 0.0.127.255 host 192.168.4.254 port-unreachable
permit icmp 192.168.0.0 0.0.127.255 host 192.168.1.254 ttl-exceeded
permit icmp 192.168.0.0 0.0.127.255 host 192.168.1.254 port-unreachable
! permit receipt of responses to router originated pings
permit icmp any any echo-reply
! allow pings to router
permit icmp any any echo
!
!
ip access-list extended coppacl-critical-app
remark CoPP critical apps traffic class
! permit HSRP
permit ip any host 224.0.0.2
!
!
ip access-list extended coppacl-undesirable
remark explicitly defined undesirable traffic
! permit for policing all traffic destined to UDP 1434
permit udp any any eq 1434
!
!
!
!
! Define a class for each type of traffic and associate it with an ACL
class-map match-all coppclass-bgp
match access-group name coppacl-bgp
class-map match-all coppclass-igp
match access-group name coppacl-igp
class-map match-all coppclass-interactivemanagement
match access-group name coppacl-interactivemanagement
class-map match-all coppclass-filemanagement
match access-group name coppacl-filemanagement
class-map match-all coppclass-reporting
match access-group name coppacl-reporting
match ip dscp ef af31 af21 default
class-map match-all coppclass-monitoring
match access-group name coppacl-monitoring
class-map match-all coppclass-critical-app
match access-group name coppacl-critical-app
class-map match-all coppclass-undesirable
match access-group name coppacl-undesirable
!
!
!
!
!
policy-map copp-policy
!
!
class coppclass-bgp
police 80000 8000 8000 conform-action transmit exceed-action drop
!
!
class coppclass-igp
police 80000 8000 8000 conform-action transmit exceed-action drop
!
!
class coppclass-interactivemanagement
police 10000000 100000 100000 conform-action transmit exceed-action drop
!
!
class coppclass-filemanagement
!
!
class coppclass-reporting
police 500000 5000 5000 conform-action transmit exceed-action drop
!
!
class coppclass-monitoring
police 500000 5000 5000 conform-action transmit exceed-action drop
!
!
class coppclass-critical-app
police 500000 5000 5000 conform-action transmit exceed-action drop
!
!
class coppclass-undesirable
police 50000 1500 1500 conform-action drop exceed-action drop
!
!
class class-default
police 10000000 100000 100000 conform-action transmit exceed-action drop
!
!
!
!
! Applies the defined CoPP policy to the control plane
control-plane
service-policy input copp-policy
service-policy output copp-policy
!
!
!
!
!
! The following example shows how to configure a port-filter policy to drop all traffic destined to closed
or "nonlistened" TCP/UDP ports:
!
!
class-map type port-filter pf-class
match closed-ports
exit
!
policy-map type port-filter pf-policy
class pf-class
drop
exit
exit
!
!
!
!
!
! The following example shows how to configure a queue-threshold policy to set the queue limit for
SNMP protocol traffic to 50 ! Telnet traffic to 50, and all other protocols to 150:
!
!
class-map type queue-threshold qt-snmp-class
match protocol snmp
class-map type queue-threshold qt-telnet-class
match protocol telnet
class-map type queue-threshold qt-ssh-class
match protocol ssh
class-map type queue-threshold qt-syslog-class
match protocol syslog
class-map type queue-threshold qt-dns-class
match protocol dns
class-map type queue-threshold qt-tftp-class
match protocol tftp
class-map type queue-threshold qt-other-class
match host-protocols
exit
!
!
policy-map type queue-threshold qt-policy
class qt-snmp-class
queue-limit 50
class qt-telnet-class
queue-limit 50
class qt-ssh-class
queue-limit 50
class qt-dns-class
queue-limit 50
class qt-syslog-class
queue-limit 50
class qt-tftp-class
queue-limit 50
class qt-other-class
queue-limit 150
exit
exit
!
!
control-plane host
service-policy type port-filter input pf-policy
service-policy type queue-threshold input qt-policy
!
!
Related documents
APPLICATION FOR PARKING PERMIT Student ID # __________________________________________________ For Term _____________________________________________________
APPLICATION FOR PARKING PERMIT Student ID # __________________________________________________ For Term _____________________________________________________
INDEPENDENT SCHOOL DISTRICT 196 Rosemount, Minnesota 55068-4199 SERIES NUMBER __707.5.3.3P
INDEPENDENT SCHOOL DISTRICT 196 Rosemount, Minnesota 55068-4199 SERIES NUMBER __707.5.3.3P
Download
advertisement