Wednesday, January 30, 2013

How to Secure Your Cisco Router Using Cisco AutoSecure Feature

How to Secure Your Cisco Router Using Cisco AutoSecure Feature
In today’s complex network environments securing your network routers can be a daunting task, especially when there are so many CLI commands and parameters with different security implications for your Cisco router device.
Thankfully, since Cisco IOS version 12.3 and later, Cisco provides an easy way for administrators to lock down their Cisco router without entering complex commands and parameters. This feature was smartly introduced to help remove the complexity of the task and ensure the lock-down is performed according to Cisco’s best security practices.
The Cisco AutoSecure feature is available to all IOS version 12.3 and above and supported on all hardware platforms, including all newer Cisco 870, 880, 1800, 1900, 2800, 2900, 3800 and 3900 series routers.
To maximize flexibility the Cisco AutoSecure command supports two different modes depending on your needs and flexibility required:
AutoSecure Interactive Mode: This mode prompts the user with options to enable/disable services and other security features supported by the IOS version the router is running.
AutoSecure Non-Interactive Mode: Automatically executes the Cisco AutoSecure command using the recommended Cisco default settings (Cisco’s best security practices).
The Cisco AutoSecure Interactive mode provides greater control over security-related features than the non-interactive mode. However, when an administrator needs to quickly secure a router without much human intervention, the non-interactive mode is appropriate.
We’ll examine the practical difference between the two commands soon. For now, let’s take a look at the functions Cisco AutoSecure performs:
1. Disables the following Global Services:
  • Finger
  • PAD
  • Small Servers
  • Bootp
  • HTTP service
  • Identification Service
  • CDP
  • NTP
  • Source Routing
2. Enables the following Global Services:
  • Password-encryption service
  • Tuning of scheduler interval/allocation
  • TCP synwait-time
  • TCP-keepalives-in and tcp-kepalives-out
  • SPD configuration
  • No ip unreachables for null 0
3. Disables the following services per interface:
  • ICMP
  • Proxy-Arp
  • Directed Broadcast
  • Disables MOP service
  • Disables icmp unreachables
  • Disables icmp mask reply messages.
4. Provides logging for security:
  • Enables sequence numbers & timestamp
  • Provides a console log
  • Sets log buffered size
  • Provides an interactive dialogue to configure the logging server ip address.
5. Secures access to the router:
 
  • Checks for a banner and provides facility to add text to automatically configure:
  • Login and password
  • Transport input & output
  • Exec-timeout
  • Local AAA
  • SSH timeout and ssh authentication-retries to minimum number
  • Enable only SSH and SCP for access and file transfer to/from the router
  • Disables SNMP If not being used
6. Secures the Forwarding Plane:
  • Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
  • Anti-spoofing
  • Blocks all IANA reserved IP address blocks
  • Blocks private address blocks if customer desires
  • Installs a default route to NULL 0, if a default route is not being used
  • Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
  • Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image
  • Enables NetFlow on software forwarding platforms
It is clear that the Cisco AutoSecure does a lot more than execute a couple of commands
  

No comments:

Post a Comment