Hardening Cisco routers

[hostmedic]

As a network admin or Data Center employee you know the importance of securing your network - Interestingly enough the following list is what we use as a starting point when auditing a network we go into - corporate or data-center... its amazing how many of these points are missed.

The Average CCNA knows about them - but just tends to skip at least 1 or more of them...

1. Keeping IOS Version up to date
2. Password and Priviledge levels
3. AUX, VTY, HTTP, and Console Access Control
4. Authentication, Authorization for Radius and Tacacs+
5. SNMP traps
6. RIP, OSPF, EIGRP and BGP Routing Security
7. Setting up logging for violations and manipulation of logging buggers as well as ACL violations
8. NTP Security settings
9. Disabling finger, CDP, chargen and echo (if not needed)
10. Setting up Antispoofing Filters
11. Physical Access ( be amazed how many janitors are night time tech students)
12. Failure to setup warning banners ...

[hostmedic]

1. Keeping the IOS up to date:

First thing is determine the IOS version your using -
login to the console and type

PHP Code:

show version 


There are a few levels of IOS version - Cisco has done an excellent job @ setting up these classifications

• Early Deployment (ED) - Alpha stage
  
  CTED - Consolidated Tech Early Deployment: Feature rich but unstable.
  
  STED - Specific Early Deployment: Feature rich but unstable and focused on a specific platform
  
  SMED - Specific Market Early Deployment: Very much like a STED but focused on a specific market segment - (like an ISP, Datacenter, {us})
  
  X- one time short lived releases adding features to the ED
• Major Releases
  
  
  LD- Limited Deployment: Normally the first major IOS release - having passed through the ED stage. Lasts around 9 - 14 months generally (BETA STAGE)
  
  GD- General Deployment: (LIVE) Once an IOS reaches the GD Phase - normally no changes are made to the code - as its whole point is to remain as stable as possible.

As a checklist - generally you want to ensure that all routers are running a current IOS GD (General Deployment) release, Check the IOS against Cisco's Security Advisories and have a plan to recheck it on a regular basis.

[hostmedic]

Points of Access: there are many ways to access a Cisco router.

• Console Port
  Perhaps one of the more safe ways unless your in a datacenter where your equipment has shared access~ One of the ways we also see this as an issue is when a client has a computer connected and that computer has the hyperterminal session open but a poor password for remote desktop.... remember your only as secure as your weakest link.
• Auxiliary Port
• Virtual TTY
• HTTP
• TFTP
• SNMP

more to follow soon:::

There's a great reference template from Team CYMRU (the Bogon filter guys) on securing IOS:

http://www.cymru.com/Documents/secure-ios-template.html

It's a pretty good list (anti-bogon, local security, protecting BGP links, telnet ACL's, etc.)

They also include the same ideas but written in JUNOS configuration; for all those Juniper users out there (read: ISPs/Service providers).

- R208.