GNS3 Network Basics

businessmakeshiftΔίκτυα και Επικοινωνίες

29 Οκτ 2013 (πριν από 4 χρόνια και 12 μέρες)

94 εμφανίσεις

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
1


Figure
1

GNS3 Network Basics

Figure 1

illustrates

the network configured in the Graphic Network Simulator (GNS)

software
application on your notebook
. This network is not intended to be representative of any specific
configuration you may encounter.

The section of the network in Figure 2 is the router on
which the search commands will be executed.
The symbol
is for a generic router. The label “7200” was added by the
designer.
The r
outer being
emulated
is a Cisco 7200 series
with three
configured
interfaces. The interface on the left
is connected to network 10.1.40.0

and has the ip address
10.1.40.2 assigned to it. The line to which this interface is
connected has been assigned the ip address 10.2.40.1.

You can determine all this from the information displayed on
the diagram. The “/24” at the end of each network ip ad
dress indicates that the network is
using a 24
-
bit mask. The small green ball indicates that the interface to which the line is
attached

is turned on


the line is connected.

This presentation is concerned in its entirety with securing the edge router, def
ined as the last
router (or routing device) through which your traffic will pass on its way out of your LAN.

It is
also the first device encountered by inbound traffic.

For this presentation, the router
standing in

as the border router is the 7200. The Pix

firewall
and the two 2621 routers connected to it are standing in for the Internet Service Provider (ISP).
The configuration of the Pix is
important only in so much as it interacts with the 7200.
The Pix is
configured with EIGRP (Enhanced Interior Gateway

Protocol) as is the interface on the 7200 to
which it is connected.

Figure
2

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
2

The other interfaces on the 7200 are configured with OSPF (Open Shortest Path First). Both
EIGRP and OSPF are interior routing protocols; but, they are both much easier to configure and
m
uch easier on resources than is BGP, the most widely
-
used exterior protocol.

Checking the security posture of a Cisco router is largely an examination of the contents of the
configuration of the router.

The majority of the commands you will be examining ar
e concerned
with securing the Management Plane.

A large part of the configuration of your LAN edge router
will be based on information supplied by the service provider to which you are connecting.

Passwords



The first line of defense on a router, or any other networking device, is to require passwords
for simple authentication.



There are several rules which
should be followed
:



Encrypt passwords using MD5 wherever possible.



Where MD5 isn’t possible, hide the
passwords from casual viewing.



Configure lockouts to preclude password guessing.



Enforce a minimum password length standard.



Related to password enforcement is ensuring that no one else can use a password
inappropriately left active. To enforce this, don’
t leave connections up

when idle.

Traffic Filtering



The best place to prevent unwanted traffic from entering or exiting the LAN is at the entry
interfaces.
Filtering is another name for blocking or dropping. When we say that a packet
has been filtered, it
means that the packet has been dropped, blocked, or denied.



Selectively filter icmp packets.



Use ingress and egress filtering.

Authentication



Use local usernames.



Implement AAA.



Set authentication for eigrp and ospf.

Management



set keepalives for
management access sessions



restrict management access to authorized users



set exec timeouts



use ssh & https for management access



banners (login, motd, exec, incoming)



if used, snmp v3 only



configure centralized logging



config change notifications



set
logging level



set logging source interface



set logging time
-
stamp



use AAA for accounting

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
3



replace and rollback for configuration files



exclusive configuration access



software resilience

Hardware



Set memory threshold levels.



Set cpu threshold levels.

Physica
l



The router should be secured in a locked room or protected area.



Access to the console port should be prevented.



An uninterruptible power supply (UPS) should be employed to protect the configuration of
the router in the event of a power outage.

Internetw
orking Operating System (IOS)



The most stable version of the IOS should be used. A visit to the Cisco.com web site should
provide the version of the most recent IOS for the router platform type.



Store a copy of the configuration file in an off
-
device locat
ion as well as in persistent
memory on the device itself.



Move the IOS to persistent memory so that it can be easily reinstalled.

Harden the Router



“Harden” is a term used to describe a process by which the router is configured so as to
make unauthorized a
ccess to it as difficult as possible.



Secure all methods of connection.



Disable unused services, interfaces, and ports.
Disabled = inaccessible
.



Authenticate access


allow only authorized users to have access to the device and/or
services on the device.



Authorize actions


restrict authenticated users from accessing everything. Allow
authenticated users to have access to only what is required.



Account for the actions


generate, capture, and store log and audit messages depicting
every action taken by an
authenticated user. Tag every message with identifying
information about the user including who, what, when.



Display banners


Legal notifications and warnings.



Encrypt everything that can be encrypted.



Hide everything else.




Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
4

MANAGEMENT PLANE
COMMANDS

Th
is section contains a listing of security support commands which are applied to the management level
of the Cisco router.
Each command includes a short explanation of what the command (both active and
negated versions) does and an example command you can e
xecute from the command line to see
whether or not the command is configured on the device.

From inside GNS3, bring up a console window on the 7200 router and try out each of the commands
under the “Finding it in the configuration” section.

Command
:


no ip

source
-
route




Disables ip source routing



IP source routing allows the originator of a packet to dictate which routers the packet
should traverse along its way.



It is a very dangerous capability and is routinely disabled using this command


Finding it in
the configuration
:


RTR7200#
show running
-
config | include ip source
-
route




RTR7200#
no ip source
-
route


Command
:


ip cef




Enables Cisco Express Forwarding



Required in order to enable Unicast Reverse
-
Path Forwarding



CEF creates a Forwarding Informatio
n Base (FIB) table containing the next hop
addresses. It also creates adjacencies with the source of the packet. When a packet is
received, CEF can determine if a next hop address exists based on whether or not a
relationship has already been established b
etween the layer 3 (IP) data and the layer 2
(MAC) data. This saves the time required to perform Address Resolution Protocol (ARP)
searches on packets from known sources.



Its main function is to speed up the switching process in the router.


Finding it i
n the configuration
:


RTR7200#
show running
-
config | include cef





RTR7200#
ip cef



Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
5

Command
:


no service tcp
-
small
-
servers


no service udp
-
small
-
servers




As of version 12.0 of the Cisco IOS, the services included under these commands are
disabled by
default. The commands will not appear in the configuration file.



For earlier versions of the IOS, it is absolutely necessary to disable these and other
unused services because they can be used to launch DoS attacks.


Finding it in the configuration
:


RTR72
00#
show running
-
config | include small
-
servers


(
Prior to 12.0
)


RTR7200#
no service tcp
-
small
-
servers

RTR7200#
no service udp
-
small
-
servers


Command
:

no ip domain lookup



Disables Domain Naming System (DNS) name
-
to
-
address translations.



This service is sometimes needed, but not very often.


Finding it in the configuration
:


RTR7200#
show running
-
config | include ip domain lookup


RTR7200#
no ip domain lookup


Command
:

no ip finger



Disables the Finger service.



Finger is a very old servi
ce which provides information about users currently logged in to
a network or on to a device. In the ancient days of networking, it was the only way to
find out if a fellow user was available.


Finding it in the configuration
:


RTR7200#
show running
-
config

| include finger


RTR7200#
no ip finger


Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
6

Command
:

no ip bootp server



Disables the Bootstrap Protocol (bootp) service.



BOOTP is typically used with diskless workstations and other devices which don’t
contain their own operating system, which would allow

them to use the Device Host
Configuration Protocol (DHCP).



There are not a lot of devices like this anymore.


Finding it in the configuration
:


RTR7200#
show running
-
config | include bootp server


RTR7200#
no ip bootp server


Command
:

ip dhcp bootp ignor
e



At some point in the development of the Device Host Configuration Protocol (DHCP), it
was decided to include the capability of providing BOOTP capabilities for those few
devices which still required it.



If bootp is not required, this command leaves DHCP

operational while configuring it to
ignore any BOOTP requests..


Finding it in the configuration
:


RTR7200#
show running
-
config | include bootp ignore



RTR7200#
ip dhcp bootp ignore


Command
:

no service dhcp




If DHCP relay services are not required, it

is safe to disable the service


Finding it in the configuration
:


RTR7200#
show running
-
config | include service dhcp



RTR7200#
no service dhcp





Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
7

Command
:

no mop enabled



Disables the Maintenance Operation Protocol (MOP) service.



MOP is a 30+ year
old protocol developed by Digital Equipment Corporation which is no
longer in business.



From the original specifications: “MOP allows control of unattended remote systems
that are part of a DECnet network.”



If there’s no DECnet network, there’s no need for

MOP.


Finding it in the configuration
:


RTR7200#
show running
-
config | include mop enabled



RTR7200#
no mop enabled


Command
:

no service pad



Disables the Packet Assembler/Disassembler (PAD) service.



PAD is used to actively assemble X.25 packets out of

serial data streams from network
devices and disassembles like packets into a data stream which is suitable for sending to
data terminals.



If you’re not using an X.25 network, you don’t need it.


Finding it in the configuration
:


RTR7200#
show
running
-
config | include service pad



RTR7200#
no service pad


Command
:

no ip http server

no ip http secure
-
server



Disables the HyperText Transfer Protocol (HTTP) service and the HTTP over Secure
Socket Layer (SSL) service (HTTPS).


Finding it in the
configuration
:


RTR7200#
show running
-
config | include
ip http



RTR7200#
no ip http server


RTR7200#
no ip http secure
-
server

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
8

Command
:

no service config



Disables a Cisco IOS device search for a network server to load the configuration file.



Prevents the

device from trying to find the config file using TFTP


Finding it in the configuration
:


RTR7200#
show running
-
config | include service config



RTR7200#
no service config


Command
:

no cdp run


no cdp enable



Disables
Cisco Discovery Protocol



Within a LAN,

cdp is a relatively safe protocol. On interfaces touching untrusted
networks, cdp should not be used because it advertises information about individual
devices which would be helpful to a hacker.



no cdp run is the global command which disables cdp for all

interfaces.



no cdp enable is used on individual interfaces.


Finding it in the configuration
:


RTR7200#
show running
-
config | include cdp



RTR7200#
no cdp
(
run

| enable )


Command
:

no lldp transmit


no lldp receive

no lldp run global



Disables Link
Layer Discovery Protocol



Similar to CDP, but used between devices that do not support CDP.



Use the
no lldp transmit
and
no lldp receive
commands in interface configuration mode
for individual interfaces; or, the
no lldp run global

to disable it on all inte
rfaces.


Finding it in the configuration
:


RTR7200#
show running
-
config | include lldp



RTR7200#
no service config

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
9

Command
:

enable secret <password>



The enable password is used to enter privileged exec mode in which the entire router
can be reconfigured.



It is essential that only the secret version of this command be used.


Finding it in the configuration
:


RTR7200#
show running
-
config | include enable



RTR7200#
enable secret 5 $1$yx4M#bFUI/TnJyoWTvF1LUt.PK.




Of primary importance
are

that the password is set (enable secret), and



that it is protected with the MD5 hashing algorithm (5).


Command
:

service password
-
encryption




Causes all passwords which are not already encrypted with MD5 to be encrypted using
Cisco proprietary
encryption algorithm type 7.



Type 7 encryption is a basic substitution method of encryption which does not provide
any security for the password beyond making it difficult to read.


Finding it in the configuration
:


RTR7200#
show running
-
config | include
service password



RTR7200#
service password
-
encryption


Command
:

security passwords min
-
length <#>




Sets a minimum length for any future passwords.



Passwords which are already set are not effected by this command.



What the value of <#> is should be a
matter of local policy.



Cisco recommends a minimum length of 10.


Finding it in the configuration
:


RTR7200#
show running
-
config | include security password


RTR7200#
security passwords min
-
length 10


Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
10

Command
:

[no]
service password recovery



This command i
s not available
i
n all version
s

of the IOS.



The no version disables the password recovery feature of the router and should only be
used IAW local policy.


Finding it in the configuration
:


RTR7200#
show running
-
config | include service password



RTR7200#

service password
-
recovery




Executing the ‘no’ version removes the command from the config file.



There will be no output if the ‘no’ version has been executed.



There will also be no output if the IOS version does not support the command.


Command
:

userna
me <name> [privilege <level>] secret <password>




Creates an entry in the local database.



Preceding the password with the keyword “secret” causes the plaintext password to be
hashed using the MD5 hashing algorithm.



Preceding the password with the keyword “
password” causes the password to be left in
plaintext unless the service password
-
encryption command has been executed. This
form of the command is not authorized.



There should be one username configured with a privilege level of 1 (one) for normal
connec
tion to the router. Once connected, this user can execute the “enable” command
to move to a higher privilege level.



In configurations such as
login local

or
ip http authentication local
, the the keyword
local

tells the router to require the entry of both
the username and the password for
that username in order to gain access.


Finding it in the configuration
:


RTR7200#
show running
-
config | include username



RTR7200#
username NOACCESS privilege 1 secret 5 $1$yx4M#bFUI/TnJyoWTvF1LUt.PK


RTR7200#
username ADMIN privilege 15 secret 67UI#kouekla;*#Kkboup@bN&7arP






Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
11

Command
:

login block
-
for <block_time> attempts <#> within <time_period>




Mitigates the possibility of

a brute force attack by blocking all login attempts for a
specific period of time i
f too many attempts had been made during a short time period



Note that this command blocks ALL login attempts.



The command is interpreted “i
f <#> attempt
s to login have occurred within

<time_period> in seconds, prevent all further login attempts for <block
_time> in
seconds

.



For example:

login block
-
for 180 attempts 4 within 60


Finding it in the configuration
:


RTR7200#
show running
-
config | include login block
-
for



RTR7200#
login block
-
for 30 attempts 3 withing 30


Command
:

login quiet
-
mode
access
-
class <acl# or aclNAME>




This command sets the access list <acl# or aclNAME> as a list of ip addresses that can
still login even though every other ip address is blocked out.


Finding it in the configuration
:


RTR7200#
show running
-
config | include

login quiet
-
mode



RTR7200#
login quiet
-
mode access
-
class ALLOW_ACCESS


RTR7200#
show access
-
list ALLOW_ACCESS



RTR7200#
Standard IP access
-
list ALLOW_ACCESS


RTR7200#
10 permit 10.4.1.14

Command
:

login delay <#>




Force a delay of <#>

seconds between each login attempt


Finding it in the configuration
:


RTR7200#
show running
-
config | include login block
-
for



RTR7200#
login delay 3


Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
12

Command
:

login on
-
failure log [every <#>]




This command causes a log entry to be generated every time
a login fails.



It might seem that setting this to 1 would be a good idea; however, a number between 5
and 10 is more appropriate. If login attempts are being blocked (failing), then security is
being enforced.



Login failures are counted on a per
-
ip address

basis.


Finding it in the configuration
:



RTR7200#
show running
-
config | include login on
-
failure



RTR7200#
login on
-
failure log every 5


Command
:

login on
-
success log [every <#>]




Unlike login failures, this one should be set to 1.



Since 1 is the default, it is not necessary to include it in the command. Enter only
login
on
-
success log

to configure the default of 1.


Finding it in the configuration
:



RTR7200#
show running
-
config | include login on
-
success



RTR7200#
login on
-
success

log


Command
:

security authentication failure rate <#>




Sets a global threshold rate for login failures.



If the threshold is breached, a syslog message is posted and a 15
-
second delay is
enforced.



This global setting can be overruled by the login block
-
fo
r command


Finding it in the configuration
:



RTR7200#
show running
-
config | include security authentication




RTR7200#
security authentication failure rate 8




Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
13

Command
:

show login

Display all the login commands in the configuration:


A login delay of 3

seconds is applied.


Quiet
-
Mode access list ALLOW_ACCESS is applied.


All successful login is logged.


Every 5 failed login is logged.


Router enabled to watch for login Attacks.


If more than 3 login failures occur in 30 minutes or less,


logins will be
disabled for 30 seconds.


Router presently in Normal
-
Mode.


Current Watch Window



Time remaining: 22 seconds.



Login failures for current window: 0.


Total login failures: 0.


Filtering

Ingress & Egress
Filters
:




The ingress filter is the
access list assigned to the interface connected closest to the service
provider which blocks known malicious or simply bad traffic from entering your LAN.



The egress filter is the access list assigned to the interface connected closest to your LAN
which al
lows only legitimate traffic to depart your LAN.



Note that the egress filter may be more than one access list. If the router you’re examining
has multiple LANs connected to it, it may be necessary to implement an egress filter to each
of the interior inter
faces.



To determine which access list is the egress and which is the ingress, it will be necessary to
review the structure of the network to determine which interface should host the ingress
filter and which should host the egress filter.



For this exampl
e, interface FastEthernet0/0 (f0/0) will be the interface connected to the
provider. View the configuration for the interface:




RTR7200#
show running
-
config | section FastEthernet0/0




If the resulting display contains the two lines


ip access
-
group <
NAME> in

ip access
-
group <NAME> out


the <NAME> preceding “in” is the ingress filter and

the <NAME> preceding “out” is the egress filter.


Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
14



If the interface only includes the one “in” filter, you’ll need to view the configuration of
the other interfaces to
determine which should contain the outbound filtering.


Ingress Access List
:




Once you’ve decided which is the ingress filter and which is the egress filter, you next need
to examine their contents

(see next section)
.



Access
-
lists are essential for
securing a router. They can, however, be extremely complex.
Without a thorough understanding of all the applications traversing the router and the
protocols involved, it is impossible to validate each acl.



There are some things which are universally filter
ed at the outside interface. Among these
are ip addresses which are not routable across the Internet, referred to as private
addresses. Certain multicast addresses should also be blocked as well as malformed
addresses.



RFC 5735 and RFC 4193 list the privat
e address and other reserved ranges for IPv4 and IPv6
respectively and discuss their purpose and implementation.



The Center for Internet Security (CIS) Security Configuration Benchmark for Cisco IOS
Version 3.0.0, September, 2011 contains a recommended lis
t of ip addresses that should be
blocked at the ingress filter. They are included in the example ingress access
-
list on the
following slide. There are other candidates for inclusion in this list.


1)

access
-
list <acl> deny ip <your_internal_address_range> any

log

2)

access
-
list <acl> deny ip 127.0.0.0 0.255.255.255 any log

3)

access
-
list <acl> deny ip 10.0.0.0 0.255.255.255 any log

4)

access
-
list <acl> deny ip 172.16.0.0 0.15.255.255 any log

5)

access
-
list <acl> deny ip 192.168.0.0 0.0.255.255 any log

6)

access
-
list <acl> de
ny ip 192.0.2.0 0.0.0.255 any log

7)

access
-
list <acl> deny ip 169.254.0.0 0.0.255.255 any log

8)

access
-
list <acl> deny ip 0.0.0.0 0.255.255.255 any log

9)

access
-
list <acl> deny ip host 255.255.255.255 any log




Line 1 prevents any external host from spoofing your

ip addresses.



Line 2 is the loopback range of addresses



Lines 3, 4, & 5 are the big 3 private address ranges



Line 6 is TEST
-
NET
-
1 and is used only in documentation



Line 7 is the local link block



Lines 8 & 9 are blocking bogus ip addresses


Egress Access
List
:




The egress filter is an access list which insures that only legitimate traffic (traffic generated
by your own LAN) is allowed to exit the LAN.



The access
-
list may be complex due to the inclusion of protocols and applications as well as
operationally mandated traffic.

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
15



The single entry you’re looking for is one that allows only your address space:



access
-
list <acl> permit ip <your_internal_address
_range> any log



If there are other users (LANs) connected to other interfaces, this line needs to be adjusted
for their ip address range and included in the filter located on their interface of the router.


ICMP
:




Internet Control Message Protocol



Purpose
is to assist in the control of the Internet Protocol (IP)



Can convey virtually ALL information about internal structure of your LAN



Is required for some purposes



Which ICMP messages need to be filtered and which need to be allowed will be dictated by
local

mission requirements as well as restrictions mandated by the external service
provider.



At a minimum, all non
-
mandated inbound requests should be filtered as well as any
outbound requests from addresses other than the management station.



To verify the fil
tering established for a particular LAN, it is necessary to have an
understanding of the structure of the LAN


what ip address is/are assigned to the
management station(s); what is the address space for the LAN; what applications are
running which require

the use of ICMP; etc.



ICMP needs to be filtered on both the egress and ingress interfaces.



In the ingress filter access list, there might be lines which allow icmp echo requests from
specific external ip addresses such as a trusted management station or s
erver. Verify the ip
addresses included with the local operating procedures.



All other ip traffic from the network to which the management stations /servers belong
should be explicitly blocked.



ip access
-
list extended INGRESS_FILTER



permit icmp host <trus
ted
-
management
-
station> any echo



permit icmp host <trusted
-
management
-
server> any echo



deny ip any <the_rest_of_the_network> <mask>



In the egress filter access list, there might be lines which allow icmp echo requests from
specific internal ip addresses

such as a management station. Verify the ip address of the
management station.



All other icmp traffic from your network must be explicitly blocked.



ip access
-
list extended EGRESS_FILTER



permit icmp host <trusted
-
management
-
station> any echo



permit icmp host <trusted
-
management
-
server> any echo



deny icmp any <the_rest_of_the_network> <mask>



Note: If icmp echo
-
requests are permitted out of your LAN, the corresponding echo
-
reply
must then be permitted back in to your router through the ingress

filter. The entry in the
ingress filter should be as specific as possible to ensure no unauthorized icmp traffic enters.


Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
16

AUTHENTICATION

Local
:



username <name> [privilege <level>] secret <password>




Local usernames are used in many places for authentica
tion purposes.



In the aaa command (discussed elsewhere)
aaa authentication login default local enable
,
the “local” option indicates that the local username database should be consulted for
authentication (then the enable secret password).



In the command
ip

http authentication local
, “local” means that only a username from the
local username database, once properly authenticated by entering the correct password,
will have access to the http protocol.



On vty, aux, and con lines, the command
login local

means
the same thing. Use
show
running
-
config | begin line
to see all the line configurations.


Finding it in the configuration
:


RTR7200#
show running
-
config | include local



RTR7200#
ip http authentication local

RTR7200#
login local


AAA

Command
:

aaa
new
-
model



Activates AAA (authentication, authorization, accounting) functionality



Immediately applies local authentication to all lines and interfaces except the
console (line con 0). Sessions already opened are not affected. If a session times
-
out and no
username is configured, you are effectively logged out. For this
reason, a username must be configured prior to executing this command.


Finding it in the configuration
:


show running
-
config | include aaa new
-
model



aaa new
-
model


Designate Server(s)
:

tac
acs
-
server host <ip | hostname> [timeout <sec>] [key <KEY>]

radius
-
server host <ip | hostname> [timeout <sec>] [key <KEY>]



Designates the TACACS+/RADIUS server ip address or hostname

Finding it in the configuration
:

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
17

show running
-
config | include
tacacs
-
server

show running
-
config | include radius
-
server


tacacs
-
server host A.B.C.D timeout 15


radius
-
server host E.F.G.H auth
-
port 1645 acct
-
port 1646 timeout 15 key 7 08136D…

(The RADIUS server configuration includes the default authentication and acc
ounting port
assignment numbers of 1645/1646. TACACS+ uses only port 49.)


Create Server
-
Groups
:

aaa group server tacacs+ <NAME>

aaa group server radius <NAME>



Creates a group named <NAME> into which servers can be added.



The router prompt changes to the
server
-
group config prompt

(config
-
sg
-
tacacs+)#server < ip | hostname >

(config
-
sg
-
radius)#server < ip | hostname >



Adds the server(s) to the group.



Finding it in the configuration
:

show running
-
config | include aaa group


aaa group server tacacs+ <NAME>


aaa group server radius <NAME>

Authenticating Enable EXEC Mode
:

aaa authentication enable default group tacacs+ enable



Creates the default list for determining whether or not a user can access
privileged EXEC command level.



This command allows for up to
four of these methods:



group <NAME>
-

use the servers configured in the <NAME> group



group tacacs+ : use all available tacacs+ servers



group radius : use all available radius servers



enable : use the enable password



line : use the line password (if conne
cted via vty line, for example)



none : no authentication required

Finding it in the configuration
:

show running
-
config | include aaa authentication enable


aaa authentication enable default group tacacs+ enable

Authenticating Logins
:

aaa authentication log
in default group tacacs+ local enable



This is the default list for authenticating a user who wants to log in.



This command allows for up to four of these methods:



group <NAME>
-

use the servers configured in the <NAME> group



group tacacs+ : use all availa
ble tacacs+ servers



group radius : use all available radius servers



enable : use the enable password



line : use the line password (if connected via vty line, for example)



local : local username database

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
18



local
-
case : case
-
sensitive local username database



none : no authentication required

Finding it in the configuration
:

show running
-
config | include aaa authentication login


aaa authentication login default group tacacs+ local enable

Accounting
:

aaa accounting exec start
-
stop group tacacs+



Accounting occur
s for all user shell EXEC commands

aaa accounting commands 15 default start
-
stop group tacacs+



Accounting occurs for all commands on level 15

aaa accounting network start
-
stop group tacacs+



Accounting occurs for all network related services like PPP

aaa ac
counting connection start
-
stop group tacacs+



Accounting occurs for all outbound connections

aaa accounting system start
-
stop group tacacs+



Accounting occurs for all system related events not directly related to a user



These five commands are all required t
o completely configure aaa accounting.



“start
-
stop” accounting begins as soon as the session begins. A summary record which
includes session statistics is sent when the session ends.

Finding it in the configuration
:

show running
-
config | include aaa
accounting

EIGRP

Authentication
:

(config)# key chain KC_EIGRP

(config
-
keychain)# key 1

(config
-
keychain
-
key)# key
-
string ReallyStrong!



Creates a key chain for EIGRP called “KC_EIGRP” and adds key #1 to it

(config
-
if)# ip authentication mode eigrp 33 md5



In

interface configuration mode, activate authentication for as 33

(config
-
if)# ip authentication key
-
chain eigrp 33 KC_EIGRP



Set authentication to use the key
-
chain configured previously.

Finding it in the configuration
:

show running
-
config | section key ch
ain




key chain KC_EIGRP



key 1



key
-
string 7 04690E07032D557D1D0B0A19154A



Once you know the key chain name, search for it:

show running
-
config | include KC_EIGRP




ip authentication key
-
chain eigrp 33 KC_EIGRP



Debugging eigrp will display which

interfaces are authenticating:

debug eigrp packets



Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
19


: EIGRP: Received packet with MD5 authentication, key id = 1


: EIGRP: Received HELLO on <int> nbr <ip>

Slide 50

OSPF

Authentication
:

(config
-
if)# ip ospf message
-
digest
-
key 1 md5 ReallyReallyStrong!



E
stablishes the key for this interface



This must be pre
-
shared. That is, the interface on the next device in line to which
this interface is connected must have an identical key configured.

(config
-
if)# ip ospf authentication message
-
digest



Activates the MD
5 (message
-
digest) authentication on this interface

Finding it in the configuration
:



Since authentication is configured on a per
-
interface basis, verifying the
configuration needs to be performed the same way:

show ip ospf interface <int> (once per
interface)


/
-

output ommitted
-
/


Message digest authentication enabled



Youngest key id is 1

MANAGEMENT ACCESS

Keepalives
:

service tcp
-
keepalives
-
in

service tcp
-
keepalives
-
out



Generate keepalives on network connections



Sometimes, tcp connections
to remote points may become disconnected at the
remote host without notifying the originating end of the connection. When this
happens, it might become impossible to reconnect to the remote host upon its
return to service because this end of the connection

still believes the connection
exists. With keepalives configured, each end of the connection will be aware that
the other end has disconnected and can close its end.

Finding it in the configuration
:

show running
-
config | include tcp
-
keepalives


service tc
p
-
keepalives
-
in


service tcp
-
keepalives
-
out

Exec Timeouts
:

exec
-
timeout <minutes> [<seconds>]



Establishes the length of time a line is allowed to be idle before the router
disconnects it, dropping the connection.



A setting of 0 0 (zero zero) disables this
feature and is not allowed.



Finding it in the configuration
:



Begin the display of the config file from the first instance of a line:



A setting of 10 minutes is the default and will not appear in the listing.

show running
-
config | begin line


line con 0

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
20



/
-

output omitted
-
/



exec
-
timeout 5


line vty 0 4



/
-

output omitted
-
/



exec
-
timeout 3 30

Configure Secure Shell (SSH)
:

ip domain
-
name <NAME>

hostname <HOSTNAME>

crypto key generate rsa general
-
keys modulus 1024



Each router has to

have a unique hostname.



All routers that need to communicate via SSH must be configured with the same
domain name.



The minimum required modulus (encryption strength) is 1024.

Finding it in the configuration
:

show running
-
config | ip domain
-
name


ip domain

name ns.com

show ip ssh


SSH Enabled


version 1.99


Authentication timeout: 120 secs; Authentication retries: 3

Changing SSH Defaults
:

ip ssh version 2



Set ssh to version 2


it is backward
-
compatible with version 1 but offers
superior security.

ip ssh
time
-
out 60



Set the ssh timeout to 60 seconds instead of the default 120.

ip authentication
-
retries 4



Set the number of times a user/device can attempt to authenticate before being
locked out of ssh.

Finding it in the configuration
:

show ip ssh


SSH Enable
d


version 2.0


Authentication timeout: 60 secs; Authentication retries: 4

Allowing Access to SSH
:

(config
-
line)#transport input ssh



Executed on the vty line(s)



Forces the requirement to connect using only ssh.



Effectively blocks access to telnet.

(confi
g
-
line)#access
-
class <standard_acl> in



The acl contains ip addresses of those stations authorized access to the
vty lines and, therefore, to ssh.

Finding it in the configuration
:

show running
-
config | section vty


line vty 0 4



/
-

output omitted
-
/

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
21



access
-
class 1 in



transport input ssh



/
-

output omitted
-
/

Configure Secure HTTP (HTTPS)
:

no ip http server

ip http secure
-
server



The recommendation is that neither http nor https be enabled.



If operationally necessary or mandated, only the secure
http server
(https) will be activated.



This configuration has to do with https terminating on the router, not
passing through it on the data plane.

Finding it in the configuration
:

show running
-
config | include http


no ip http server


ip http secure
-
serve
r


/
-

other http commands may be listed
-
/

Restrict Access to HTTPS
:

ip http authentication local



Local usernames will be used for authentication.

ip http authentication enable



If you know the enable secret password, you can authenticate to http.

ip http a
uthentication aaa login
-
authentication <NAME>



Authenticate login attempts using the configured method list <NAME>.

Finding it in the configuration
:

show running
-
config | include http


no ip http server


ip http authentication aaa login
-
authentication
WEBACCESS


ip http secure
-
server

Banners
:

banner incoming @ This is the INCOMING banner … @

banner motd % This is the MOTD banner … %

banner exec & This is the EXEC banner … &

banner login * This is the LOGIN banner … *



The incoming banner is used when the

router receives an connection from a host
on the network


from an address within the interface address range.



The motd (message of the day) banner is displayed before any other banner.



The exec banner is displayed when the user has connected the the
router.



The login banner is displayed after the user has authenticated.

Finding it in the configuration
:

show running
-
config | include banner


banner incoming ^C This is the INCOMING banner … ^C


banner motd ^C This is the MOTD banner … ^C


banner exec ^C
This is the EXEC banner … ^C


banner login ^C This is the LOGIN banner … ^C

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
22

LOGGING RULES

Logging (Part 1)
:

logging <{
on

|
enable

}>



Logging is required. This command activates it. Different versions of the IOS may
require “on” while others require
“enable”

no logging monitor



The ‘no’ version of this command insures that logging messages are not sent to
an alternate monitor connected to one of the terminal (vty) lines.

logging source
-
interface loopback0



To provide consistency in the generation of log
ging messages, a loopback
interface’s ip address should be used as the source for all logging from a
particular device.



This command causes the ip address of loopback0 to be included in messages.

logging [host] <ip_address_of_logging_host>



Sets the ip addr
ess of the logging server.



All generated syslog traffic is sent to this address.



Some versions of Cisco IOS require the [host] option.



Logging Part 2
:



logging buffered <buffer_size> [level]



Sets aside an area in memory of size <buffer_size> (in bytes) for

holding logging
messages of severity <level> locally so that they can be viewed by a logged
-
in
level 15 user.



The minimum recommended <buffer_size> is 16000



logging rate
-
limit console 3 except critical



Limits the number of messages which are displayed on
the console to no more
than 3 per second unless the message is critical (level 3) priority or higher.



The intent is to prevent logging messages from consuming an inordinate amount
of processing time resulting in an unstable router.




logging console <level>



Causes logging messages of severity level <level> to be sent to the console.



Recommended level is “critical” (2)



Levels are discussed on the next slide.



Logging Part 3
:








logging trap <level>



The logging trap command indicates what level snmp trap will generate a logging
message.



logging alarm <level>



Sets the severity level of alarms to be logged.



This is different from logging trap which deals only with snmp levels.



Levels are numbered from
0 to 7 and are named emergencies(0), alerts(1),
critical(2), errors(3), warnings(4), notifications(5), informational(6), and
debugging(7).

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
23



Setting a specific level will cause the inclusion of that level and all levels of higher
severity (lower number).



Wha
t level is configured is a matter of loca policy.



Finding it in the configuration
:



Logging Part 3
:







Finding it in the configuration
:



show running
-
config | include logging




logging buffered 24000 informational




logging rate
-
limit console 3 except critical




logging console critical




no logging monitor




logging alarm major




logging trap debugging




logging source
-
interface Loopback0




logging 10.1.45.3



A very extensive and detailed logging report is available by executing

show logging

CONFIGURATION FILE
MANAGEMENT

Archive
:

(config)#
archive



The archiving of configuration files allows for the replacement and restoration of
configurations. Without a repository for configuration files, there would be no
way to restore a router to a previous, working, state.

(config
-
archive)#
log config



enters logging configuration sub
-
mode.

(config
-
archive
-
log
-
cfg)#
logging enable



Causes logging messages to be generated for any configuration change executed
from EXEC mode.

(config
-
archive
-
log
-
cfg)#
logging size <#>




Sets th
e maximum number of messages (1000 or less) retained in the log.

(config
-
archive
-
log
-
cfg)#
notify syslog contenttype plaintext



Causes configuration change messages to be sent to a remote syslog server in
addition to being sent to the logging buffer

(confi
g
-
archive
-
log
-
cfg)#
hidekeys



Do not include (hide) any keys or passwords in the log entries.



(config
-
archive)#
path disk0:<filename>



Sets the path and location of the logging files. As new files are created, a
sequential number is added to the end of the f
ile name entered here.



(config
-
archive)#
write
-
memory



Automatically create a backup any time the write memory command is issued.



(config
-
archive)#
time
-
period <sec>



Sets the time period (seconds) to automatically save the current configuration.



Finding it

in the configuration
:

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
24



show running
-
config | section archive




archive





logging enable





logging size 150





notify syslog conetnttype plaintext





hidekeys




path disk0:backup
-
netman




write
-
memory



Exclusive Configuration Access
:



configuration mode exclus
ive auto expire <sec>



When a user with privilege level 15 access enters confuration terminal mode, the
config file is locked, preventing others accessing it at the same time.



The lock will expire after <sec> seconds of inactivity.



Finding it in the configu
ration
:



show running
-
config | configuration mode




configuration mode exclusive auto expire <sec>



Software Resilience
:



secure boot
-
config



Makes a backup

of the configuration file and stores it in persistent memory.



secure boot
-
image



Moves the IOS image file

to persistent memory.



Finding it in the configuration
:



Neither of these commands are stored in the configuration file.

SNMP RULES

Simple Network Management Protocol
:



SNMP is a very powerful network management protocol.



SNMP should be disabled unless it is

absolutely required or mandated.



Whether or not to use it is a matter of local policy.



If the service provider is mandating the use of SNMP, it
must

be Version
3.



The following SNMP commands represent the basic configuration
requirements for using the
protocol.



You should be provided with any additional configuration information
you need by the service provider.



snmp
-
server community <READONLY_STRING> ro <acl>



Sets <READONLY_STRING> as the password for read
-
only (ro) access to
the Management Information

Base (MIB).



<acl> is an access list name or number containing ip addresses of hosts
on the network which are allowed to use this community string to access
the MIB.
It is required.



Finding it in the configuration
:



show running
-
config | snmp
-
server communi
ty




snmp
-
server community ReadOnly RO ALLOWED_RO_SNMP



snmp
-
server community <READWRITE_STRING> rw <acl>

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
25



Sets <READWRITE_STRING> as the password for read
-
write (rw) access to
the Management Information Base (MIB).



<acl> is an access list name or number cont
aining ip addresses of hosts
on the network which are allowed to use this community string to access
the MIB.



Normally, a readwrite community string is not in the configuration.



Whether or not this community string is set is a matter of policy.



Finding it

in the configuration
:



show running
-
config | snmp
-
server community




snmp
-
server community ReadOnly RW ALLOWED_RW_SNMP



snmp
-
server enable traps <trap_type>



trap_type can be a combination of things


which ones are included is a
matter of local policy



example: snmp
-
server enable traps snmp linkup linkdown coldstart
warmstart authentication



Traps are not allowed unless a server is also configured to receive them

(next slide).







Finding it in the configuration
:



show running
-
config | snmp
-
server enable tr
aps




snmp
-
server enable traps snmp authentication linkdown linkup
coldstart warmstart




snmp
-
server enable traps vrrp




snmp
-
server enable traps ds1




… … …




snmp
-
server enable traps voice




snmp
-
server enable traps dnis



snmp
-
server host <host_ip | host_name>
<options>



snmp
-
server host http://{host_ip | host_name} [:<port][/<url>] <options>



Identifies the snmp server.



Inclusion of additional options is a matter of local policy as well as other
configuration items located elsewhere in the configuration file.







F
inding it in the configuration
:



show running
-
config | include snmp
-
server host




snmp
-
server host 10.1.55.32 version 3 priv SNMP_USER



snmp
-
server group <GROUP_NAME> v3 priv



If snmp is to be used, it should be version 3.



To ensure that traffic is protected i
n transit, version 3 groups should be
configured with the “priv” option indicating that traffic be encrypted.







Finding it in the configuration
:



show running
-
config | include snmp
-
server group




snmp
-
server group v3Group2 v3 priv

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
26



snmp
-
server user <NAME> <
GROUP_NAME> v3


auth sha <authentication_password>


priv aes <aes_size> <private_password>


<acl_name_or_number>



Minimum recommended aes_size is 128



This command, in conjunction with the snmp
-
server group command,
provides this USER with p
rivacy encryption.



Finding it in the configuration
:



show running
-
config | include snmp
-
server user




snmp
-
server user SNMP_USER v3Group2 v3

TIME

Timestamps
:

service timestamps < debug | log > < datetime | uptime > [show
-
timezone] [localtime] [msec]
[year]



Configures timestamps for either
debug

or
log

messages



Use either the real date & time <
datetime
> or time since the router was last
restarted/reloaded <
uptime
> in seconds



Optionally add time zone information <
show
-
timezone
>



Use local time <
localtime
>



Include the current <
year
>



Include millisecond timing in each message <
msec
>

Finding it in the configuration
:

show running
-
config | include service timestamps

Look for BOTH debug and log commands:


service timestamps debug …


service timestamps log …


Configuring Time (System Clock)
:

clock timezone GMT < [ + |
-

] hours>



Sets the onboard clock to the correct timezone based on Greenwich Mean Time
(GMT) plus or minus a fixed number of hours.

Finding it in the configuration
:

show running
-
config | include
clock timezone


clock timezone GMT 5

clock summer
-
time zone recurring


[week day month hh:mm]


[week day month hh:mm]



Sets the absolute start and stop time for summer time in your time zone.



There are other formats for this command;
however, it is only the summer
-
time
configuration you’re concerned with. If the command is set, that’s good enough.

Finding it in the configuration
:

show running
-
config | include clock summer
-
time


clock summer
-
time zone … … …

Network Timing Protocol (NTP
)
:

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
27

ntp authenticate



Activates the ntp authentication procedure.



Note that it is the server being authenticated, not the router.

Finding it in the configuration
:

show running
-
config | include ntp authenticate


ntp authenticate

ntp authentication
-
key <id#>
md5 <key>



establishes the key to use for authenticating the ntp server



The key is hashed using the MD5 (128
-
bit) hashing algorithm (currently the only option
on a Cisco router).

Finding it in the configuration
:

show running
-
config | include ntp authenticat
ion


ntp authentication


ntp trusted
-
key <id#>



Sets the key identified with id# as a trusted key, meaning that any external ntp server
that uses this key can be used to synchronize the router’s time.



The previous command establishes the key and the crypto
type (md5) and this command
designates it as trusted.

Finding it in the configuration
:

show running
-
config | include ntp trusted


ntp trusted
-
key 1

ntp access
-
group [peer | query
-
only | serve | serve
-
only] [acl# | aclNAME]



This access group should be confi
gured.



The four options peer, query
-
only, etc. are a matter of local policy.

Finding it in the configuration
:

show running
-
config | include ntp access


ntp access
-
group query
-
only 14

show running
-
config | include access
-
list 14


Standard IP access list 14



10 permit 10.10.20.3

ntp update
-
calendar



causes the hardware clock on the router to be synchronized with the external time
source

Finding it in the configuration
:

show running
-
config | include ntp update


ntp update
-
calendar

ntp server <
ip_address | name > [key <#> | prefer | source <int> | ver <#>]



Sets the ip address of the external time server.



There should be two ntp servers defined.



The
key

keyword is followed by the key number to be used when authenticating this
server



prefer

means that this server is prefered over any others

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
28



The

source

keyword is followed by an interface name. It will cause ntp to use the ip
address of the designated interface for interactions with this specific server. It takes
precedence over the global ntp

source <int> command.



version

is followed by either 1, 2, or 3, depending on which version of ntp this server
uses

Finding it in the configuration
:

show running
-
config | include ntp server


ntp server 216.119.69.113 key 1 prefer source Loopback0 ver 3

ntp

source <int>



NTP will use the ip address assigned to the interface <int> in all messages sent to all
destinations

Finding it in the configuration
:

show running
-
config | include ntp source


ntp source Loopback0

INTERFACES

Auxillary Line (aux)
:

line aux 0


no exec


transport input none



no exec
disables all incoming connections



transport input none
prevents a protocol selection



The auxillary port should be completely disabled unless in use.

Finding it in the configuration
:

show running
-
config | section lin
e aux

Look For:


no exec


transport input none

Console Line (con0)
:

login authentication < default | aaa_list >



Forces aaa authentication

exec
-
timeout <min> [<sec>]



Sets an inactivity timeout for the console.



Unlike the vty lines (next slide), which are a
ccessible from across the network, the
console port is accessible only through physical access. Because of this, configured
security for it is considerably less than for the vty lines.

Finding it in the configuration
:

show running
-
config | section line con

Look For:


login authentication …


exec
-
timeout

Virtual Terminal Lines (vty)
:

login authentication < default | aaa_list >



Forces aaa authentication

exec
-
timeout <min> [<sec>]

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
29



Sets an inactivity timeout for the console.

transport input ssh



SSH must be
used to connect to the line.

access
-
class <acl_VTY_ACCESS> in



An access
-
control list containing authorized ip addresses

Finding it in the configuration
:

show running
-
config | section line vty

Interface Configuration Commands
:

ip access
-
group <acl_INGRESS>
in



Applies an in
-
bound access list to this interface.

ip access
-
group <acl_EGRESS> out



Applies an out
-
bound access list to this interface.

no ip directed
-
broadcast



This is the default in modern Cisco IOS and does not appear in the config file.



In legacy
IOS, this command shoud be included on every interface.

no cdp enable



Even though already globally disabled (no cdp run), disabling cdp on each
individual interface is a good idea.



no ip mroute
-
cache



IP mroute caching configures fast
-
switching of multicas
t traffic.



Unless specifically required, it should be disabled with the ‘no’ version of the
command.



mroute caching is not available in all version of Cisco IOS.



ip verify unicast reverse
-
path



Causes the router to examine every packet received on the inter
face to make
sure that the source address appears in the routing table and matches the
interface on which the packet was received. This capability relies on the
Forwarding Information Base (FIB) created by the CEF command.



no ip redirects



An ICMP message u
sed to inform the sending device that a better route exists
than the one used. A hacker could use this capability to cause a host to redirect
its traffic to the hacker rather than the proper gateway.



no ip unreachables



no ip unreachables


Also an ICMP mes
sage, this is usually disabled to prevent its
being used in a denial of service (DOS) attack. The router could be flooded with
improperly crafted packets, causing it to send an unreachable response to each.
This could prevent the router from routing legiti
mate traffic.







no ip proxy
-
arp



no ip proxy
-
arp


Normally, a Cisco router can “stand
-
in” for a host connected to
it by using Proxy ARP wherein the router responds to arp requests as if it were
actually the host. This is done in the interest of speed as we
ll as ease of
configuration on the host. It is disabled to prevent a host from identifying itself
as another host, thus causing the router to forward another hosts’s traffic to it.

Baseline Audit for Cisco Routers

6 May 2012, Version
6
.0

P a g e

|
30



Finding it in the configuration
:



show running
-
config | section interface fa
stethernet0/1



show running
-
config | section interface serial1/1