Configuring Cisco AutoSecure Interactive Mode
This happens to be the recommended mode for securing your Cisco router. When using the Cisco AutoSecure Interactive Mode, the router will prompt a number of questions regarding the current topology, how it is connected to the Internet, which interface connects to the Internet and so on. Providing this information is essential because it will be used by AutoSecure to lock-down the router and disable services as required by Cisco’s best security practices.
Below is the command required to initiate the AutoSecure Interactive mode feature. You can abort the session anytime by pressing Ctrl-C, or press ? to get help:
- R1# auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.100 YES NVRAM up up
FastEthernet0/1 192.168.151.10 YES NVRAM up up
NVI0 10.0.0.100 YES unset up up
Enter the interface name that is facing the internet: FastEthernet0/1
Securing Management plane services...
- Disabling service finger
- Disabling service pad
- Disabling udp & tcp small servers
- Enabling service password encryption
- Enabling service tcp-keepalives-in
- Enabling service tcp-keepalives-out
- Disabling the cdp protocol
- Disabling the bootp server
- Disabling the http server
- Disabling the finger service
- Disabling source routing
- Disabling gratuitous arp
- Configure NTP Authentication? [yes]: no
Enter the new enable password: *****
% Invalid Password length - must contain 6 to 25 characters. Password configuration failed
Enter the new enable password: **********
Confirm the enable password: **********
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 15
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 20
Configure SSH server? [yes]: no
Configuring interface specific AutoSecure services
- Disabling the following ip services on all interfaces:
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- Disabling mop on Ethernet interfaces
- Securing Forwarding plane services...
- Enabling unicast rpf on all interfaces connected to internet
- Configure CBAC Firewall feature? [yes/no]: yes
This is the configuration generated:
- no service finger
- no service pad
- no service udp-small-servers
- no service tcp-small-servers
- service password-encryption
- service tcp-keepalives-in
- service tcp-keepalives-out
- no cdp run
- no ip bootp server
- no ip http server
- no ip finger
- no ip source-route
- no ip gratuitous-arps
- no ip identd
- security passwords min-length 6
- security authentication failure rate 10 log
- enable password 7 11584B5643475D
- aaa new-model
- aaa authentication login local_auth local
- line con 0
- login authentication local_auth
- exec-timeout 5 0
- transport output telnet
- line aux 0
- login authentication local_auth
- exec-timeout 10 0
- transport output telnet
- line vty 0 15
- login authentication local_auth
- transport input telnet
- line tty 1
- login authentication local_auth
- exec-timeout 15 0
- login block-for 15 attempts 3 within 20
- service timestamps debug datetime msec localtime show-timezone
- service timestamps log datetime msec localtime show-timezone
- logging facility local2
- logging trap debugging
- service sequence-numbers
- logging console critical
- logging buffered
- interface FastEthernet0/0
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no mop enabled
- interface FastEthernet0/1
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no mop enabled
- access-list 101 permit udp any any eq bootpc
- interface FastEthernet0/1
- ip verify unicast source reachable-via rx allow-default 101
- ip inspect audit-trail
- ip inspect dns-timeout 7
- ip inspect tcp idle-time 14400
- ip inspect udp idle-time 1800
- ip inspect name autosec_inspect cuseeme timeout 3600
- ip inspect name autosec_inspect ftp timeout 3600
- ip inspect name autosec_inspect http timeout 3600
- ip inspect name autosec_inspect rcmd timeout 3600
- ip inspect name autosec_inspect realaudio timeout 3600
- ip inspect name autosec_inspect smtp timeout 3600
- ip inspect name autosec_inspect tftp timeout 30
- ip inspect name autosec_inspect udp timeout 15
- ip inspect name autosec_inspect tcp timeout 3600
- ip access-list extended autosec_firewall_acl
- permit udp any any eq bootpc
- deny ip any any
- interface FastEthernet0/1
- ip inspect autosec_inspect out
- ip access-group autosec_firewall_acl in
- !
- end
- Apply this configuration to running-config? [yes]: yes
- Applying the config generated to running-config
Notice the router rejected the initial enable password as it did not conform to the password security requirements
If at any point you would like to check the configuration changes made by the Cisco AutoSecure feature before saving them, you can use the show auto secure config command:
- R1# show auto secure config
- no service finger
- no service pad
- no service udp-small-servers
- no service tcp-small-servers
- service password-encryption
- service tcp-keepalives-in
- service tcp-keepalives-out
- no cdp run
- no ip bootp server
- no ip http server
- no ip finger
- no ip source-route
- no ip gratuitous-arps
- no ip identd
- security passwords min-length 6
- security authentication failure rate 10 log
- enable password 7 11584B5643475D
- aaa new-model
- aaa authentication login local_auth local
- line con 0
- login authentication local_auth
- exec-timeout 5 0
- transport output telnet
- line aux 0
- login authentication local_auth
- exec-timeout 10 0
- transport output telnet
- line vty 0 15
- login authentication local_auth
- transport input telnet
- line tty 1
- login authentication local_auth
- exec-timeout 15 0
- login block-for 15 attempts 3 within 20
- service timestamps debug datetime msec localtime show-timezone
- service timestamps log datetime msec localtime show-timezone
- logging facility local2
- logging trap debugging
- service sequence-numbers
- logging console critical
- logging buffered
- interface FastEthernet0/0
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no mop enabled
- !
- interface FastEthernet0/1
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no mop enabled
- !
- access-list 101 permit udp any any eq bootpc
- interface FastEthernet0/1
- ip verify unicast source reachable-via rx allow-default 101
- ip inspect audit-trail
- ip inspect dns-timeout 7
- ip inspect tcp idle-time 14400
- ip inspect udp idle-time 1800
- ip inspect name autosec_inspect cuseeme timeout 3600
- ip inspect name autosec_inspect ftp timeout 3600
- ip inspect name autosec_inspect http timeout 3600
- ip inspect name autosec_inspect rcmd timeout 3600
- ip inspect name autosec_inspect realaudio timeout 3600
- ip inspect name autosec_inspect smtp timeout 3600
- ip inspect name autosec_inspect tftp timeout 30
- ip inspect name autosec_inspect udp timeout 15
- ip inspect name autosec_inspect tcp timeout 3600
- ip access-list extended autosec_firewall_acl
- permit udp any any eq bootpc
- deny ip any any
- interface FastEthernet0/1
- ip inspect autosec_inspect out
- ip access-group autosec_firewall_acl in
- R1#
The Non-interactive mode of Cisco’s AutoSecure is more of an ‘express’ setup feature, bypassing any user input and quickly securing the router using Cisco’s best security practices. Think of it as a quick-and-dirty lockdown mode!
Running the Non-Interactive AutoSecure mode is done by entering the auto secure no-interact command as shown below. The router will display some information and continue configuring itself:
R1# auto secure no-interact
Below is the expected output once the auto secure non-interactive command is executed:
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
Securing Management plane services...
- Disabling service finger
- Disabling service pad
- Disabling udp & tcp small servers
- Enabling service password encryption
- Enabling service tcp-keepalives-in
- Enabling service tcp-keepalives-out
- Disabling the cdp protocol
- Disabling the bootp server
- Disabling the http server
- Disabling the finger service
- Disabling source routing
- Disabling gratuitous arp
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
This is the configuration generated:
- no service finger
- no service pad
- no service udp-small-servers
- no service tcp-small-servers
- service password-encryption
- service tcp-keepalives-in
- service tcp-keepalives-out
- no cdp run
- no ip bootp server
- no ip http server
- no ip finger
- no ip source-route
- no ip gratuitous-arps
- no ip identd
- security passwords min-length 6
- security authentication failure rate 10 log
- service timestamps debug datetime msec localtime show-timezone
- service timestamps log datetime msec localtime show-timezone
- logging facility local2
- logging trap debugging
- service sequence-numbers
- logging console critical
- logging buffered
- interface FastEthernet0/0
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no mop enabled
- interface FastEthernet0/1
- no ip redirects
- no ip proxy-arp
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no mop enabled
- !
- end
Applying the config generated to running-config
- R1#
Exploring Other Cisco AutoSecure Options
For those who like to explore all available options of the Cisco AutoSecure command, use the auto secure command, followed by a question mark ? as shown below:
- R1# auto secure ?
- firewall AutoSecure Firewall
- forwarding Secure Forwarding Plane
- full Interactive full session of AutoSecure
- login AutoSecure Login
- management Secure Management Plane
- no-interact Non-interactive session of AutoSecure
- ntp AutoSecure NTP
- ssh AutoSecure SSH
- tcp-intercept AutoSecure TCP Intercept
Trying out different parameters and options will help gain a greater understanding of how AutoSecure works and the options it provides to help best secure your network.
Using the Cisco AutoSecure feature to secure your router(s) is a very simple task and one that should not be neglected, even by experienced network engineers. With the use of such features, one can create a configuration template with all necessary basic security measures taken into account.
Cisco provides a number of features that can help make an engineer’s every-day life more secure and hassle-free. It’s to our advantage to make the best of everything offered!
No comments:
Post a Comment