book

Hardening Cisco Routers

Name: Hardening Cisco Routers
Author: Thomas Akin
ISBN: 9780596001667

by Thomas Akin

February 2002

Intermediate to advanced

190 pages

4h 56m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
OrganizationAudienceConventions Used in This BookHow to Contact UsAcknowledgments
1. Router Security
1.1. Router Security?1.2. Routers: The Foundation of the Internet1.3. What Can Go Wrong1.3.1. Consequences of Compromised Routers1.4. What Routers Are at Risk?1.5. Moving Forward
2. IOS Version Security
2.1. The Need for a Current IOS2.2. Determining the IOS Version2.3. IOS Versions and Vulnerabilities2.3.1. IOS Versions2.3.2. IOS Naming Scheme2.3.3. Vulnerabilities2.4. IOS Security Checklist
3. Basic Access Control
3.1. Authentication Versus Authorization3.2. Points of Access3.3. Basic Access Control3.3.1. Authentication and Authorization3.3.1.1. Console password3.3.1.2. AUX and VTY passwords3.3.1.3. Privileged-level access control3.3.1.4. Local username access control3.3.1.5. TACACS access control3.3.1.6. Disabling console, auxiliary, and VTY logins3.3.2. TFTP Access3.4. Remote Administration3.4.1. Danger of Remote Administration3.4.2. Dial-up Access3.4.2.1. Reverse Telnet3.4.3. VTY Access3.4.3.1. Disabling VTY access3.4.3.2. SSH3.4.3.3. Limiting VTY access by IP3.4.3.4. Additional VTY settings3.4.4. HTTP/Web Access3.4.4.1. Limiting HTTP access by IP3.4.4.2. HTTP authentication3.5. Protection with IPSec3.5.1. Setting up ISAKMP3.5.2. Creating the IPSec Extended ACL3.5.3. Creating IPSec Transforms3.5.4. Creating the Crypto Map3.5.5. Applying the Crypto Map to an Interface3.6. Basic Access Control Security Checklist
4. Passwords and Privilege Levels
4.1. Password Encryption4.1.1. Vigenere Versus MD54.2. Clear-Text Passwords4.3. service password-encryption4.4. Enable Security4.5. Strong Passwords4.6. Keeping Configuration Files Secure4.7. Privilege Levels4.7.1. Changing Privilege Levels4.7.2. Default Privilege Levels4.7.3. Privilege-Level Passwords4.7.4. Line Privilege Levels4.7.5. Username Privilege Levels4.7.6. Changing Command Privilege Levels4.7.7. Privilege Mode Example4.7.8. Recommended Privilege-Level Changes4.8. Password Checklist
5. AAA Access Control
5.1. Enabling AAA5.2. Local Authentication5.3. TACACS+ Authentication5.3.1. TACACS+ Enable Password5.3.2. HTTP Authentication with TACACS+5.3.3. TACACS+ Authorization5.3.3.1. EXEC authorization5.3.3.2. Command authorization5.4. RADIUS Authentication5.4.1. RADIUS Enable Password5.4.2. HTTP Authentication with RADIUS5.4.3. RADIUS Authorization5.5. Kerberos Authentication5.6. Token-Based Access Control5.7. AAA Security Checklist
6. Warning Banners
6.1. Legal Issues6.2. Example Banner6.3. Adding Login Banners6.3.1. MOTD Banner6.3.2. Login Banner6.3.3. AAA Authentication Banner6.3.4. EXEC Banner6.4. Warning Banner Checklist
7. Unnecessary Protocols and Services
7.1. ICMP7.1.1. ICMP MTU Discovery7.1.2. ICMP Redirects7.1.2.1. ICMP redirects—sending7.1.2.2. ICMP redirects—receiving7.1.3. ICMP-Directed Broadcasts7.1.4. ICMP Mask Reply7.1.5. ICMP Unreachables7.1.6. ICMP Timestamp and Information Requests7.2. Source Routing7.3. Small Services7.4. Finger7.5. HTTP7.6. CDP7.7. Proxy ARP7.8. Miscellaneous7.9. SNMP7.10. Unnecessary Protocols and Services Checklist
8. SNMP Security
8.1. SNMP Versions8.1.1. SNMP Version 18.1.2. SNMP Version 2c8.1.3. SNMP Version 38.2. Securing SNMP v1 and v2c8.2.1. Enabling SNMP v1 and v2c8.2.1.1. Community strings8.2.1.2. Read-only access8.2.1.3. Read/write access8.2.2. Disabling SNMP v1 and v2c8.2.2.1. Disabling read-only access8.2.2.2. Disabling read/write access8.2.3. Limiting SNMP v1 and v2c Access by IP8.2.3.1. Read-only access8.2.3.2. Read/write access8.2.4. SNMP Read/Write and TFTP8.2.5. Limiting SNMP v1 and v2c Access with Views8.3. Securing SNMP v38.3.1. No Authentication/No Encryption8.3.2. Authentication/No Encryption8.3.3. Authentication/Encryption8.3.4. Limiting SNMP v3 Access by IP8.3.5. Limiting SNMP v3 Output with Views8.4. SNMP Management Servers8.5. SNMP Security Checklist
9. Secure Routing and Antispoofing
9.1. Antispoofing9.1.1. Ingress and Egress Filtering9.1.1.1. Ingress9.1.1.2. Reserved and private networks9.1.1.3. Egress9.1.2. Unicast Reverse Packet Forwarding9.2. Routing Protocol Security9.2.1. Static Routing9.2.2. Authentication9.2.2.1. RIP v29.2.2.2. EIGRP9.2.2.3. OSPF9.2.2.4. BGP9.2.3. Passive Interfaces9.2.3.1. Passive interfaces9.2.3.2. OSPF and EIGRP passive interfaces9.2.4. Route Filtering9.2.4.1. Global filtering9.2.4.2. Per-interface filtering9.2.4.3. Filtering at network borders9.3. Routing Protocol and Antispoofing Checklist

10. NTP
10.1. NTP Overview10.2. Configuring NTP10.2.1. Central Server10.2.1.1. Existing timeserver10.2.1.2. Synchronized router as a timeserver10.2.1.3. Unsynchronized router as a timeserver10.2.2. Flat10.2.3. Hierarchical10.2.4. NTP Options10.2.4.1. Preferred server10.2.4.2. ntp max-associations10.2.4.3. ntp disable10.2.5. Time Zones10.2.6. Viewing Status10.2.7. Access Lists10.2.8. NTP Source Address10.2.9. Authentication10.3. NTP Checklist
11. Logging
11.1. Logging in General11.2. Router Logging11.2.1. Timestamps11.2.2. Console Logging11.2.2.1. Changing the console logging level11.2.2.2. Disabling console logging11.2.3. Buffered Logging11.2.4. Terminal Monitor11.2.5. syslog11.2.5.1. syslog facilities11.2.5.2. Configuring syslog logging11.2.5.3. syslog sequence numbers11.2.5.4. Throttling syslog messages11.2.6. SNMP Traps11.3. ACL Violation Logging11.3.1. Antispoofing Violations11.3.2. VTY Access Logging11.3.3. Other Services11.4. AAA Accounting11.4.1. AAA Accounting Methods11.4.2. AAA Accounting Types11.4.3. AAA Accounting Configurations11.4.3.1. Accounting with TACACS+11.4.3.2. Accounting with RADIUS11.4.3.3. AAA authentication failure logging11.5. Logging Checklist
A. Checklist Quick Reference
A.1. Hardening Your RoutersA.2. Auditing Your RoutersA.3. Cisco Router Security ChecklistA.3.1. IOS Security (Chapter 2)A.3.2. Basic Access Control (Chapter 3)A.3.3. Password Security (Chapter 4)A.3.4. AAA Security (Chapter 5)A.3.5. Warning Banners (Chapter 6)A.3.6. Unnecessary Protocols and Services (Chapter 7)A.3.7. SNMP Security (Chapter 8)A.3.8. Routing Protocol and Antispoofing (Chapter 9)A.3.9. NTP Security (Chapter 10)A.3.10. Logging (Chapter 11)A.3.11. Physical Security (Appendix B)A.3.12. Incident Reponse (Appendix C)
B. Physical Security
B.1. Protection Against PeopleB.1.1. LocationB.1.2. DoorsB.1.3. LocksB.1.3.1. Keyed locksB.1.3.2. Mechanical locksB.1.3.3. Electronic locksB.1.3.4. Card-access locksB.1.3.5. Biometric locksB.1.3.6. Dual-factor locksB.1.4. PersonnelB.1.5. BackupsB.2. Protection Against Murphy and Mother NatureB.2.1. FireB.2.2. WaterB.2.3. HeatB.2.4. HumidityB.2.5. ElectricityB.2.6. Dirt and DustB.3. Physical Security Checklist
C. Incident Response
C.1. Warning!C.2. Keys to InvestigatingC.2.1. Change NothingC.2.2. Record EverythingC.3. Attack Versus AccidentC.4. Discover What Happened and the Scope of the IncidentC.5. Evidence PreservationC.6. Recovering from the IncidentC.7. Preventing Future IncidentsC.8. Incident Response Checklist
D. Configuration Examples
D.1. Basic Example ConfigurationD.2. AAA Example ConfigurationD.3. SNMP Example ConfigurationD.3.1. SNMP Version 2cD.3.2. SNMP Version 3D.4. HTTP Configuration
E. Resources
E.1. Web SitesE.2. Books
About the Author
Colophon
Copyright

Overview

As a network administrator, auditor or architect, you know the importance of securing your network and finding security solutions you can implement quickly. This succinct book departs from other security literature by focusing exclusively on ways to secure Cisco routers, rather than the entire network. The rational is simple: If the router protecting a network is exposed to hackers, then so is the network behind it. Hardening Cisco Routers is a reference for protecting the protectors. Included are the following topics:

The importance of router security and where routers fit into an overall security plan
Different router configurations for various versions of Cisco?s IOS
Standard ways to access a Cisco router and the security implications of each
Password and privilege levels in Cisco routers
Authentication, Authorization, and Accounting (AAA) control
Router warning banner use (as recommended by the FBI)
Unnecessary protocols and services commonly run on Cisco routers
SNMP security
Anti-spoofing
Protocol security for RIP, OSPF, EIGRP, NTP, and BGP
Logging violations
Incident response
Physical security

Written by Thomas Akin, an experienced Certified Information Systems Security Professional (CISSP) and Certified Cisco Academic Instructor (CCAI), the book is well organized, emphasizing practicality and a hands-on approach. At the end of each chapter, Akin includes a Checklist that summarizes the hardening techniques discussed in the chapter. The Checklists help you double-check the configurations you have been instructed to make, and serve as quick references for future security procedures.Concise and to the point, Hardening Cisco Routers supplies you with all the tools necessary to turn a potential vulnerability into a strength. In an area that is otherwise poorly documented, this is the one book that will help you make your Cisco routers rock solid.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures, Second Edition

Integrated Security Technologies and Solutions - Volume II: Cisco Security Solutions for Network Access Control, Segmentation, Context Sharing, Secure Connectivity and Virtualization

Chad Mitchell, Jamie Sanbower, Aaron Woland, Vivek Santuka

Publisher Resources

ISBN: 0596001665Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills