Securing the Router
Chris Cunningham
Chris Cunningham
chris.Cunningham@nhcomputerlearning.com
CCSI #33650
CCNA & CCNP Routing and Switching / CCNA Security
MCITP (Server Enter. Admin & Vista),
MCTS (Server 08 & Vista)
A+, Network+, Security+
Before Implementing Security Changes
•
Consult Change Management Documents and Processes
•
Lab it up to be sure it will do what you think it will do
•
Consult Security Documentation to verify it fits in with the Security Policy
of the organization
•
Above all else, when finished. . . Document!!
Planes of Security
Management Plane
How Tech’s Connect to the device
Control Plane
How the Router Decides to forward traffic
Data Plane
The data being forwarded
Management Plane
Encrypted Communications
•
SSH Version 2
•
HTTPs for GUI Configuration
Secure Login
•
Use Radius or TACACS+
Router(config)# aaa new-model
Router(config)# radius server
Router(config-radius-server)#address ipv4 10.0.0.1 acct-port 1813 auth-port 1812 key apple
Router(config)# aaa authentication login default group radius local
Router(config)# username admin secret 0 apple
•
Login Lockouts (local accounts)
Router(config)# aaa local authentication attempts max-fail 3
Router# clear aaa local user lockout [username | all]
•
Disable Password Recovery (disables access to RMON by disabling the BREAK sequence)
Router (config)#no service password-recovery
•
Access Class
•
Exec-timeout
Network Monitoring
•
Use SNMP Version 3 with ACL to limit which SNMP Servers can
connect
Router(config)#ip access-list extended snmp-server
Router(config-ext-nacl)#permit ip 10.1.0.100 any
Router(config)# snmp-server group group1 v3 auth access snmp-server
Router(config)# snmp-server engineID remote 10.1.0.100 udp-port 120 1a2833c0129a
Router(config)# snmp-server user user1 group1 v3 auth md5 password123
Or
Router(config)#snmp-server community server1 RO snmp-server
Router(config)#snmp-server community server2 RW snmp-server
•
Use Syslog with separate Network (VLAN) for communication
• Disable Console Logging to reduce the CPU load on the device
Secure Configurations
•
Use the Archive Feature to allow for rapid recovery when device is
misconfigured
•
Use Secure Boot-Image to secure the IOS so it can’t be deleted
Router(config)# secure boot-image
•
Use Secure Boot-Config to secure the startup-config from being
removed
Router(config)# secure boot-config
Verify
Router# show secure bootset
Control Plane
Secure Routing Protocols
•
Use MD5 Password Hashes
Router(config)# enable secret apple
Router(config)# username chris secret 0 apple
•
Passive interfaces
•
Also Secure FHRP (HSRP, VRRP, GLBP) with Authentication
Router(config)# key chain secure
Router(config-keychain)#key 1
Router(config-keychain-key)#key-string apple
Router(config-keychain-key)#inter fa 0/0
Router(config-if#standby 1 authentication md5 key-chain secure
Preserve CPU Resources
•
Access Control List logging
Control Plane Policing (CoPP)
•
Allows you more control over what protocols and data are allowed to
enter the router and thus the Control Plane
Data Plane
IP Traffic
•
Fragmentation
Router(config)# ip access-list extended Secure
Router(config-ext-nacl)#deny tcp any any fragments
Router(config-ext-nacl)# deny udp any any fragments
Router(config-ext-nacl)# deny icmp any any fragments
Router(config-ext-nacl)# deny ip any any fragments
•
IP Options
Router(config-ext-nacl)# deny ip any any option any-options
•
TTL to short to make it through the network
Router(config-ext-nacl)# deny ip any any ttl lt 6
* All this traffic gets Process Switched instead of using CEF
Prevent Spoofed Packets
•
Unicast Reverse Path Forwarding (Unicast RPF)
Router(config-if)#ip verify unicast source reachable-via rx
Monitor with NetFlow
Wrap-Up
Secure All Planes of a Device
•
Management Plane
•
Control Plane
•
Data Plane
•
Document, Document, Document
Questions??