Configuration:
All Cisco routing products should be running IOS version 12.0(11) or greater if available for the router/interfaces in use. IOS version 12.0(11) or greater is recommended if the HTTP server is used for management of the router. 12.0(11) also includes enhancements to better handle TCP fragmentation attacks. Cisco continually improves the performance and security of the IOS. The routers should be updated if running an older version.
version 12.0.x
Hostnames of the router should be generic and none specific to the product platform, hardware, version, or relative network positioning. Such hostnames will slow down the attacker in his/her mapping of your networks.
hostname pr2-103-j
On all border routers (also called screening routers) without documented exception the “small services” must be disabled. Having the small-servers disabled shuts down the lower port numbered services. These services, (chargen, daytime, discard, and echo) are not necessary and are commonly used in denial of service attacks. A simple rule to follow is that the fewer services which are running, the fewer opportunities for a disruption of service.
no service udp-small-servers
no service tcp-small-servers
With very few documented exceptions nearly all routers can have these services disabled for internal routers as well.
Note that this is the default configuration for IOS 12.0.x and greater.
Finger service should be disabled unless well documented. Finger gives an intruder information such as login accounts and trusted hosts. It should be disabled. The following line should be added:
no service finger
or
no ip finger
Some customized Network Management System scripts may require the use of finger on the routers. Before opening up this service verify with the vendor that it is required. If so, then an access-list must be designed to permit only authorized networks/hosts to use this service.
Turn off Cisco Discovery Protocol at the global level if not absolutely needed:
no cdp run
Source routing should be disabled on all routers without exception. This is a good policy to implement because source-routed packets allow for an attacker to manipulate the routes of packets sent and received.
no ip source-route
On Enterprise class routers, disable all packet assembler/disassembler (PAD) commands and connections between PAD devices and access servers unless X.25 services are documented and required:
no service pad
Enabling timestamps for debugging and logging and enabling password encryption will provide added security. The following lines should be added:
service timestamps debug datetime
service timestamps log datetime
service password-encryption
enable secret
Enabling timestamps for debugging and logging using real time (as opposed to uptime) provides added security and facilitates reconstruction of events after unforeseen occurrences. Timestamping is not enabled by default.
Please note that passwords for the user and privilege levels should follow the corporate password policy without exception.
Enabling an authentication protocol such as RADIUS or TACACS+ with a two-factor password mechanism would greatly improve the security of the router by not having administrator passwords traversing any network in clear text and by not relying on insecure Cisco password scrambling mechanisms.
aaa new-model
aaa authentication login default radius
aaa authentication enable default radius
aaa authorization exec radius if-authenticated
aaa authorization commands 1 tacacs+ if-authenticated
aaa authorization commands 15 tacacs+ if-authenticated
enable secret 5 ?????????????????????
line con 0
exec-timeout 5 0
session-timeout 5
login authentication radius
line aux 0
exec-timeout 5 0
session-timeout 5
login authentication radius
line vty 0 4
access-class 10 in
exec-timeout 5 0
session-timeout 5
login authentication radius
transport input ssh
Note that SecurID and other onetime password vendors operate using the RADIUS protocols. If using RADIUS most proprietary Cisco integration of the CiscoSecure product lines will be lost.
Enable Network Time Protocol. Two mechanisms are available: an access list-based restriction scheme and an encrypted authentication mechanism.
clock timezone SST 8
!
access-list 5 permit 192.168.0.150
access-list 5 permit 172.16.5.14
access-list 5 deny any
!
ntp authentication-key 1234 md5 106D000A0718 7
ntp authenticate
ntp trusted-key 1234
ntp source Loopback0
ntp access-group peer 5
ntp update-calendar
ntp server 192.168.0.150
ntp peer 172.16.5.14
Syslog logging should be enabled and directed to the Network Management System(s) or a designated proxy.
logging x.x.x.x
Where x.x.x.x represents a syslog server/proxy service running on the network.
Enable Flood Attack Prevention
One simple, generally applicable device to address traffic flood attacks is to use weighted fair queuing (WFQ) wherever CPU resources can support it. WFQ is the default for low-speed serial lines in recent versions of Cisco IOS software.
Cisco Express Forwarding (CEF), available for IOS versions 11.1CC, 11.1CT, 11.2GS, and 12.0, causes routers to perform better under SYN flood attack situations. Finally, scheduler configuration can be used to prevent routers being swamped by interrupts generated by great volumes of data during attacks, specifying periods when processor-level tasks take priority over interrupts. These commands are available for the 7200 and 7500 router series.
scheduler interval 500
scheduler allocate 250000 10000
Enable Anti-spoofing with RPF checks.
This will verify the source address of any packet against the interface it entered upon. Note that Cisco Express Forwarding (CEF) must be enabled and symmetric routing is required. Available on Cisco IOS software 11.1CC, 11.1CT, 11.2GS, and all versions 12.0 and later.
verify unicast rpf
Interface Configuration:
To disable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, add the following for each interface:
no ip redirects
Disable directed broadcasts:
no ip directed-broadcast
Directed broadcasts can be misused to multiply the power of denial-of-service attacks because every denial-of-service packet sent is broadcast to every host on a subnet. On routers with limited memory, reduce the amount of memory used by disabling route caching:
no ip route-cache
no ip mroute-cache
Turn off Cisco Discovery Protocol on each interface if not needed:
no cdp enable
Disable proxy ARP on each interface:
no ip proxy-arp
On Enterprise class routers, disable the DECnet protocols on each interface:
no mop enable
no lat enable
0 comments:
Post a Comment