© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Disabling Unused Cisco Router Network Services and Interfaces
© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Vulnerable Router Services and Interfaces Management Service Vulnerabilities Locking Down Your Router with Cisco AutoSecure Limitations and Cautions Summary
© 2006 Cisco Systems, Inc. All rights reserved. SND v Vulnerable Router Services and Interfaces Disable these unnecessary services and interfaces : –Unused router interfaces –BOOTP server –Cisco Discovery Protocol –Configuration autoloading –FTP server –TFTP server –NTP service –PAD service –TCP and UDP minor services –DEC MOP service Disable commonly configured management services: –SNMP –HTTP server –DNS Ensure path integrity: –ICMP redirects –IP source routing Disable probes and scans: –Finger –ICMP unreachable notifications –ICMP mask reply Ensure terminal access security: –IP identification service –TCP keepalives Disable gratuitous and proxy ARP: –Gratuitous ARP –Proxy ARP Disable IP-directed broadcast
© 2006 Cisco Systems, Inc. All rights reserved. SND v What You Need to Do Know that these services can be used by attackers. You do not have to know how these services can be used by attackers, but you do need to know how and when to disable them.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Management Service Vulnerabilities Management service vulnerabilities include the following: SNMP passes community strings in clear text. HTTP authentication protocol passes passwords in clear text. Broadcasted DNS lookups can be replied to by a lurking attacker.
© 2006 Cisco Systems, Inc. All rights reserved. SND v auto secure router# Router#auto secure Is this router connected to internet? [no]:y Enter the number of interfaces facing internet [1]:1 Enter the interface name that is facing internet:FastEthernet0/0 Securing Management plane services.. Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Locking Down a Router with Cisco AutoSecure Cisco AutoSecure will modify the configuration of your device. Cisco AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Locking Down a Router with Cisco SDM 1. Choose Configure. 2. Choose Security Audit. 3. Click One-step Lockdown. 4. In the Cisco SDM Warning dialog box, click Yes. 5. Deliver commands to the router
© 2006 Cisco Systems, Inc. All rights reserved. SND v Locking Down a Router with Cisco SDM (Cont.) 4 5
© 2006 Cisco Systems, Inc. All rights reserved. SND v Limitations and Cautions These Cisco AutoSecure features are not implemented in Cisco SDM: Disabling NTP Configuring AAA Setting SPD values Enabling TCP intercepts Configuring antispoofing ACLs on outside interfaces These Cisco AutoSecure features are implemented differently in Cisco SDM: Cisco SDM will disable SNMP but will not configure SNMPv3. Cisco SDM will enable and configure SSH on crypto Cisco IOS images, but will not enable Service Control Point or disable other access and file transfer services, such as FTP.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary Many services and interfaces are enabled by default on newly commissioned routers. These services and interfaces are vulnerable to attack and should be secured. Router management services, such as SNMP or DNS lookup, can be exploited by attackers. You should disable these services on your routers. Securing a router can be simplified by using Cisco AutoSecure from the CLI or One-Step Lockdown from Cisco SDM. If you use one of these methods, verify the configuration to ensure that the required services are turned on. The One-Step Lockdown feature does not shut down all the services and interfaces that Cisco AutoSecure does. If you use One-Step Lockdown, you may have to manually disable or configure several services.
© 2006 Cisco Systems, Inc. All rights reserved. SND v