dslreports logo

Hardening Cisco IOS-based devices

Cisco Guide to Harden Cisco IOS Devices

Recommended Global and Interface Configurations



  1. Disable all non-essential services and features

    • no service pad
    • no ip finger
    • no ip bootp server
    • IOS versions 12.x and higher auto disable certain features like no tcp-small-servers; no udp-small-servers; and ip http-server
    • no ip source-route



  2. Enable global security features

    • service password-encryption (automatically encrypts configured passwords)
    • service timestamps debug datetime msec localtime show-timezone
    • service timestamps log datetime msec localtime show-timezone
    • service tcp-keepalives-in
    • logging buffered <50000> debugging
    • logging console warnings (if you don't log, you can't trace problems)
    • enable secret (enables the strongest password encryption on the enable password)
    • no cdp run (if you don't need cdp at all)



  3. Disable the following features per interface

    • no ip redirects
    • no ip unreachables
    • no ip directed-broadcast
    • no ip proxy-arp
    • no cdp enable (for exterior facing interfaces)
    • make sure all other interfaces not being used are administratively shutdown



  4. Enabling additional features

    • ip subnet-zero (enables networks on the 0 boundary)
    • ip classless (allows for CIDR netmasks)
    • enable access-lists per interface as necessary to restrict the traffic to only required communication (see the links above for info regarding access-list configuration)

    • clock timezone (an accurate clock makes security logs more useful with timestamps)
    • clock summer-time recurring
    • NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries

    • snmp-server community RO 10 (secures snmp control by access list 10)
    • Add ip addresses of only the hosts that need snmp access to the router to access-list 10
    • Use the banner command to state the obvious precuations upon login as a legal disclaimer

    • Console configuration - use exec-timeout to logout idle users after 5 minutes



  • IOS version

    • Make sure you are running a version of IOS that is stable and is patched
      for all of the most latest network bugs, especially the recent SSH and SNMP vulnerabilities.


    Cisco Internet Inbound Access List




    The following is a commented example of an Access List configuration
    for a router that acts as a "choke" device on the inside or outside of
    a true firewall device. The ! signifies a commented line in Cisco's
    notation. Non-commented lines are the actual configuration syntax as it
    would be entered on the Cisco router.




    The information supplied in this configuration is in no way guaranteed
    or supported by the author to "secure" your network. This is meant to provide
    an example of generally accepted configuration practices when securing
    routers that provide access to untrusted networks.




    This access-list should be applied inbound on your choke router to what
    is considered your external or outside interface. In most cases, for routers
    outside your firewall this will be some sort of WAN interface like a serial port,
    BRI interface, frame relay sub-interface, or ATM PVC. This filters traffic that
    is coming from the Internet or untrusted network "inbound" on the external
    interface connecting to the Internet.








    ! Deny all standard external spoofing attacks and log all attempts
    ! from illegal addresses, your external block, and reserved space
    ! For obvious reasons, non-routable Internet addresses should not be allowed to
    ! come inbound. A favorite of hackers is to spoof private source addresses or
    ! even masquerade as public addresses on your own external networks.
    !
    deny ip 192.168.0.0 0.0.255.255 any log-input
    deny ip 172.16.0.0 0.15.255.255 any log-input
    deny ip 10.0.0.0 0.255.255.255 any log-input
    deny ip 127.0.0.0 0.255.255.255 any log-input
    deny ip 255.0.0.0 0.255.255.255 any log-input
    deny ip 224.0.0.0 31.255.255.255 any log-input
    deny ip host 0.0.0.0 any log-input
    deny ip any log-input
    deny ip host any log-input

    !Deny any abusive networks here...
    !
    deny ip xxx.xxx.xxx.xxx 0.0.0.255 any log-input

    ! The commands below are all for routers being used as a firewall device.
    ! If you plan on using another device for a firewall, then do not add any other
    ! configuration lines except for the following:
    ! permit ip any any

    ! If you plan on using your router as your only firewall device you can permit
    ! or deny particular services as outlined below. The following are only examples.
    ! There are hundreds of services and non-standard configurations you may need to
    ! allow based on your indivdual requirements. If you do not have the budget
    ! for a true firewall such as a PIX, Checkpoint or Netscreen, you should still use
    ! a router that is sized properly to do the job you need. A Cisco 2620 or 2640
    ! should have plenty of CPU for Reflexive Access lists and Content Based Access
    ! Control for a full T-1 worth of traffic. The other key component is RAM. Allow for
    ! a minimum of 32MB or 64MB if possible. If your budget is still an issue, you are
    ! probably better off building a firewall using a PC server (under $1000) with 2
    ! network cards using Linux or NetBSD and IPChains firewall software. You can get a
    ! lot more mileage out of a machine like that than a low-end Cisco router which
    ! really wasn't designed for that purpose anyway.
    !
    ! Include the inbound Reflexive Access-Lists if you are using this function
    !
    ! *WARNING* Reflexive Access Lists are CPU and memory intensive on your router.
    ! Make sure that your hardware is properly sized to support your volume of traffic.
    !
    ! For further explanation of these services and port numbers please refer to
    ! documentation for the specific protocols.
    !
    evaluate alliptraffic

    ! If you need to host any inbound services behind your router then the following
    ! config may help you out with some example setups.

    ! Allow outside ftp sessions inbound
    !
    permit tcp any host eq 21

    ! Allow ftp to work from inside your network (requires port 20 to be open
    ! for incoming data session)
    !
    permit tcp any eq 20 host gt 1024

    ! Allow auth/identd traffic for smtp mail and for other client apps
    !
    permit tcp any host eq 113
    permit tcp any host eq 113

    ! Allow smtp traffic inbound to mail servers
    !
    permit tcp any host eq smtp

    ! Allow http traffic inbound to all web servers
    !
    permit tcp any host eq www

    ! Allow SSL traffic inbound to all SSL servers
    !
    permit tcp any host eq 443

    ! Allow Microsoft PPTP/VPN sessions to connect inbound and log control channel
    !
    permit tcp any host eq 1723 log-input
    permit tcp any host eq 1731
    permit gre any host

    ! Allow only certain remote addresses to perform tcp DNS transfers from
    ! specific DNS servers for secondary DNS service and log each connection
    !
    permit tcp host host eq domain log-input

    ! Allow inbound client DNS requests to all DNS servers
    !
    permit udp any host eq domain

    ! Allow DNS resolution from the router's serial port for testing purposes
    !
    permit udp any eq 53 host

    ! Allow time synchronization to occur on router from ISP
    !
    permit udp any eq ntp host eq ntp

    ! Allow only particular types of icmp packets inbound to
    ! maintain integrity of data flow and sanity and for troubleshooting etc.
    !
    permit icmp any net-unreachable
    permit icmp any host-unreachable
    permit icmp any port-unreachable
    permit icmp any packet-too-big
    permit icmp any administratively-prohibited
    permit icmp any source-quench
    permit icmp any ttl-exceeded
    permit icmp any echo-reply

    ! Deny all other ICMP explicitly so it isn't logged
    !
    deny icmp any any

    ! Deny all other ip traffic explicitly and log it.
    !
    deny ip any any log-input

    ]]>

    Cisco Internet Outbound Access List

    The following is a commented example of an Access List configuration for a router that acts as a "choke" device on the inside or outside of a true firewall device. The ! signifies a commented line in Cisco's notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router.

    The information supplied in this configuration is in no way guaranteed or supported by the author to "secure" your network. This is meant to provide an example of generally accepted configuration practices when securing routers that provide access to untrusted networks.

    This access-list should be applied inbound on your choke router to what is considered your internal or inside interface. In most cases, this will be some sort of ethernet interface. This filters traffic that is going towards the Internet or untrusted network "inbound on that interface.


    ! Deny RFC 1918 private source addresses from going outbound. It is not wise 
    ! to let packets leak outside your network with your internal address information. 
    ! This is the primary way that hackers learn about the configuration of private 
    ! networks. These packets can not be responded to anyway, since these networks are 
    ! not routable on the Internet. they would only be reachable if you are using NAT on a 
    ! device beyond this point in the network to translate to a publicly routable address.
    !
    deny ip 192.168.0.0 0.0.255.255 any log-input
    deny ip 172.16.0.0 0.15.255.255 any log-input
    deny ip 10.0.0.0 0.255.255.255 any log-input
     
    ! Keep any errant request for private addresses inside your network
    ! Just in case your internal routing table for some reason does not contain a route 
    ! that should be internal, and clients follow your default route toward the Internet 
    ! for requests that should stay inside your network. This is another way that hackers 
    ! can find out about your internal network is watching for internal requests that 
    ! accidentally get routed out to a public device that they can capture traffic from.
    !
    deny ip any 192.168.0.0 0.0.255.255 log-input
    deny ip any 172.16.0.0 0.15.255.255 log-input
    deny ip any 10.0.0.0 0.255.255.255 log-input
     
    ! Deny all netbios traffic going outbound since this is one of the top 3 most hacked
    ! or attacked protocols on the Internet. Users should not access netbios services on 
    ! the Internet since it can very easily compromise NT Domain security and architecture.
    !
    deny   udp any any eq netbios-ns
    deny   udp any any eq netbios-dgm
    deny   udp any any eq netbios-ss
     
    ! Permit everything else from the "external network" and build the 
    ! reflexive access list alliptraffic with a timeout of 120 seconds
    !
    ! This command allows all other traffic to pass through the interface and
    ! uses an IOS feature set called Reflexive Access Lists to build a dynamic
    ! access list for return traffic coming inbound from the Internet. That way a 
    ! command can be appended to an inbound access list to evaluate inbound packets against 
    ! "allowed" return traffic to sessions started from inside your network.
    !
    ! *WARNING* This command is CPU and memory intensive on your router depending on the 
    ! volume of traffic flowing through the interface. I recommend at least a 2610 series 
    ! router with 32MB RAM minimum to support a full T-1 with this configuration.
    !
    permit ip   any reflect alliptraffic timeout 120
    deny ip any any log
     
    ! If this router is not being used as a firewall but more for just a choke device
    ! to enhance the security in front of or behind a firewall the following commands should
    ! replace the above commands... You should specifically define your networks that should 
    ! be allowed to go outbound and then deny everything else explicitly.
    !
    permit ip   any
    deny ip any any log
    
    ]]>
    

    Additional Links to Resources



  • Expand got feedback?

    by rolande See Profile edited by aryoba See Profile
    last modified: 2009-07-10 08:44:29