Router Interface Configuration:
To disable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, add the following for each interface:
no ip redirects
Disable directed broadcasts:
no ip directed-broadcast
Directed broadcasts can be misused to multiply the power of denial-of-service attacks because every denial-of-service packet sent is broadcast to every host on a subnet.
On routers with limited memory, reduce the amount of memory used by disabling route caching:
no ip route-cache
no ip mroute-cache
Turn off Cisco Discovery Protocol on each interface if not needed:
no cdp enable
Disable proxy ARP on each interface:
no ip proxy-arp
On Enterprise class routers, disable the DECnet protocols on each interface:
no mop enable
no lat enable
Access Control Lists:
Telnet access to the router interfaces should be restricted to a subset of IP addresses:
access-list NNN allow tcp w.x.y.z 0.0.0.0 telnet log
Where NNN is an arbitrary number representing an access list. Where w.x.y.x represents a specific IP address. Note that other IP address subnet/subnet mask combinations can be used.
On the screening routers, create an access list (e.g.: Access-list 111) which governs what is permitted to enter into the router from the Internet on the serial interface. Adding "log" to the end of the access list generates a log entry when a connection matches the access list rule. NOTE: An attacker can use the use of any logging function against you. Generally, management of a screening router should always be done from a trusted host on a trusted network over a more secure protocol than telnet (e.g. ssh).
Extended access lists - If you want to allow only certain IP addresses to use Telnet to access the router, you can use the access-class command. The command “access-class xx in” defines an access list (from 1 through 99) that allows access to the virtual terminal lines on the router. Note that logging is not possible when using an extended access list.
access-list xx permit 192.85.55.0 0.0.0.255
line vty 0 4
access-class xx in
The following lines in access-list 111 restrict access from non-routable and loopback addresses:
access-list 111 deny ip 127.0.0.0 0.255.255.255 any log
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny ip 192.168.0 0.0.255.255 any log
The following lines in access-list 112 prevent spoofing from within your company:
access-list 112 permit ip x.y.z.0 0.0.0.255 any log
Where x.y.z is a Class C addresses which is used by your company. (Class C used as an example only.)
Create an access list (e.g.: Access-list 112) which governs what is permitted to enter into the Internet from on the serial interface from your company's internal network.
The following lines in access-list 112 restrict Internet access from non-routable and loopback addresses:
access-list 112 deny ip 127.0.0.0 0.255.255.255 any log
access-list 112 deny ip 10.0.0.0 0.255.255.255 any log
access-list 112 deny ip 172.16.0.0 0.15.255.255 any log
access-list 112 deny ip 192.168.0 0.0.255.255 any log
The following lines in access-list 111 prevent spoofing from the Internet:
access-list 111 deny ip x.y.z.0 0.0.0.255 any log
Where x.y.z is a Class C address used by your company. (Class C used as an example only.)
On router model numbers greater than 4000 and first available with IOS v11.2F, a feature called "TCP Intercept" can be used to actively prevent TCP SYN flooding denial-of-service attacks. This feature should be enabled if your company's firewall does not provide this feature. TCP Intercept is enabled by first defining an access list (in this example access list 111 is used):
ip tcp intercept list 111
Additional parameters can be configured to tune the TCP Intercept feature although simply enabling it should be sufficient for most applications. Also note that this will consume CPU capacity and the load on congested routers should be watched. Consult Cisco's documentation for more details.
On a Cisco IOS older than 11.3, workarounds for land.c attacks should be configured. An access list should be created which denies access from the interface to itself. This should be applied to all interfaces:
access-list 101 deny tcp a.b.c.d 0.0.0.0 a.b.c.d 0.0.0.0 log
access-list 101 deny tcp e.f.g.h 0.0.0.0 e.f.g.h 0.0.0.0 log
Where a.b.c.d and e.f.g.h are the IP addresses of both the internal and external interfaces.
SNMP access to the router should be reviewed by your personnel:
snmp-server y.y.y.y
Where y.y.y.y represents an SNMP server running on your network. Community strings for both public and private must follow the corporate password policy for static passwords.
Apply an access-list to the SNMP statement in order to further restrict access to this management interface:
access-list 1 permit 1.1.1.1
access-list 1 permit 2.2.2.2
access-list 2 permit 5.5.5.5
access-list 2 permit 6.6.6.6
snmp-server community public RO 1
snmp-server community private RW 2
Note that logging is not possible when using an extended access list.
Restrict ICMP traffic through ACLs:
Allow PING replies to come back for PING originated from your company:
access-list 123 permit icmp any x.y.z.0.0.0.255 echo-reply
Allow TRACEROUTE replies to come back for TRACEROUTE originated from your company:
access-list 123 permit icmp any x.y.z.0.0.0.255 unreachable
access-list 123 permit icmp any x.y.z.0.0.0.255 time-exceeded
Allow router congestion messages to enter:
access-list 123 permit icmp any x.y.z.0.0.0.255 source-quench
Allow fragmentation warning messages to enter:
access-list 123 permit icmp any x.y.z.0.0.0.255 packet-too-big
Where x.y.z is a Class C address used by your company. (Class C used as an example only.)
A version of Cisco IOS should be used which has been modified to resist TCP fragment attacks. Cisco IOS versions 12.0(11) and 12.1(2) have a security enhancement which allows it to partially block TCP fragment attacks. Either of these IOS versions should be applied.
A complete defense against TCP fragment attacks is only feasible with a firewall. This is because firewalls maintain a table of packet fragments indexed by source and destination IP address, protocol, and IP ID. Cisco has not implemented this functionality in all routers because tracking every connection can be resource intensive.
As an example, ACL 101 would permit only non-fragmented HTTP flows to the server:
access-list 101 deny ip any host 192.168.41.3 fragmentsaccess-list 101 permit tcp any host 192.168.41.3 eq 80access-list 101 deny ip any anyMore details pertaining to Cisco’s recommendations can be found at:
http://www.cisco.com/warp/public/105/acl_wp.html
The Banner:
The banner message should also contain a security notice similar to the following:
banner motd ^C
This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
Banners that identify the proprietary nature of the system and warn that any actions may be monitored are needed to allow use of logs if legal steps become necessary. Consult your legal department for the exact wording to be used. It is important to note that you should not provide the potential intruder with more information than required by law. Do not list the system names, contact information, nor anything other than to warn non-authorized persons to stay out.
Administrative Interfaces:
Put a password on the console and aux ports. At a minimum configure:
line con 0
password YourSecretPassword
login
line aux 0
password YourSecretPassword
login
Passwords should follow the corporate password policy.
Put an idle exec session timeout to disconnect unauthenticated users after a specified period of time:
line vty 0 4
exec-timeout Minutes
Put an idle session timeout to disconnect authenticated users after a specified period of inactivity:
line vty 0 4
session-timeout Minutes
Telnet access to any router should be restricted closely by means of access-class lists:
access-list xx permit 192.168.123.123
line vty 0 4
access-class xx in
Where xx from 1 through 99 represents an ACL.
In addition, one should consider restricting access to vtys to a protected protocol such as the SSH protocol to preclude eavesdropping and to ensure better authentication. Cisco has implemented the server function within the Cisco IOS images 12.0(5)S for the Cisco 7200, 7500, and 12000 routers. This implementation will allow workstations with SSH Version 1 software to form secure remote console sessions to routers with this feature.
line vty 0 4
transport input ssh
0 comments:
Post a Comment