book

Hardening Cisco Routers

Name: Hardening Cisco Routers
Author: Thomas Akin
ISBN: 9780596001667

by Thomas Akin

February 2002

Intermediate to advanced

190 pages

4h 56m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
OrganizationAudienceConventions Used in This BookHow to Contact UsAcknowledgments
1. Router Security
1.1. Router Security?1.2. Routers: The Foundation of the Internet1.3. What Can Go Wrong1.3.1. Consequences of Compromised Routers1.4. What Routers Are at Risk?1.5. Moving Forward
2. IOS Version Security
2.1. The Need for a Current IOS2.2. Determining the IOS Version2.3. IOS Versions and Vulnerabilities2.3.1. IOS Versions2.3.2. IOS Naming Scheme2.3.3. Vulnerabilities2.4. IOS Security Checklist
3. Basic Access Control
3.1. Authentication Versus Authorization3.2. Points of Access3.3. Basic Access Control3.3.1. Authentication and Authorization3.3.1.1. Console password3.3.1.2. AUX and VTY passwords3.3.1.3. Privileged-level access control3.3.1.4. Local username access control3.3.1.5. TACACS access control3.3.1.6. Disabling console, auxiliary, and VTY logins3.3.2. TFTP Access3.4. Remote Administration3.4.1. Danger of Remote Administration3.4.2. Dial-up Access3.4.2.1. Reverse Telnet3.4.3. VTY Access3.4.3.1. Disabling VTY access3.4.3.2. SSH3.4.3.3. Limiting VTY access by IP3.4.3.4. Additional VTY settings3.4.4. HTTP/Web Access3.4.4.1. Limiting HTTP access by IP3.4.4.2. HTTP authentication3.5. Protection with IPSec3.5.1. Setting up ISAKMP3.5.2. Creating the IPSec Extended ACL3.5.3. Creating IPSec Transforms3.5.4. Creating the Crypto Map3.5.5. Applying the Crypto Map to an Interface3.6. Basic Access Control Security Checklist
4. Passwords and Privilege Levels
4.1. Password Encryption4.1.1. Vigenere Versus MD54.2. Clear-Text Passwords4.3. service password-encryption4.4. Enable Security4.5. Strong Passwords4.6. Keeping Configuration Files Secure4.7. Privilege Levels4.7.1. Changing Privilege Levels4.7.2. Default Privilege Levels4.7.3. Privilege-Level Passwords4.7.4. Line Privilege Levels4.7.5. Username Privilege Levels4.7.6. Changing Command Privilege Levels4.7.7. Privilege Mode Example4.7.8. Recommended Privilege-Level Changes4.8. Password Checklist
5. AAA Access Control
5.1. Enabling AAA5.2. Local Authentication5.3. TACACS+ Authentication5.3.1. TACACS+ Enable Password5.3.2. HTTP Authentication with TACACS+5.3.3. TACACS+ Authorization5.3.3.1. EXEC authorization5.3.3.2. Command authorization5.4. RADIUS Authentication5.4.1. RADIUS Enable Password5.4.2. HTTP Authentication with RADIUS5.4.3. RADIUS Authorization5.5. Kerberos Authentication5.6. Token-Based Access Control5.7. AAA Security Checklist
6. Warning Banners
6.1. Legal Issues6.2. Example Banner6.3. Adding Login Banners6.3.1. MOTD Banner6.3.2. Login Banner6.3.3. AAA Authentication Banner6.3.4. EXEC Banner6.4. Warning Banner Checklist
7. Unnecessary Protocols and Services
7.1. ICMP7.1.1. ICMP MTU Discovery7.1.2. ICMP Redirects7.1.2.1. ICMP redirects—sending7.1.2.2. ICMP redirects—receiving7.1.3. ICMP-Directed Broadcasts7.1.4. ICMP Mask Reply7.1.5. ICMP Unreachables7.1.6. ICMP Timestamp and Information Requests7.2. Source Routing7.3. Small Services7.4. Finger7.5. HTTP7.6. CDP7.7. Proxy ARP7.8. Miscellaneous7.9. SNMP7.10. Unnecessary Protocols and Services Checklist
8. SNMP Security
8.1. SNMP Versions8.1.1. SNMP Version 18.1.2. SNMP Version 2c8.1.3. SNMP Version 38.2. Securing SNMP v1 and v2c8.2.1. Enabling SNMP v1 and v2c8.2.1.1. Community strings8.2.1.2. Read-only access8.2.1.3. Read/write access8.2.2. Disabling SNMP v1 and v2c8.2.2.1. Disabling read-only access8.2.2.2. Disabling read/write access8.2.3. Limiting SNMP v1 and v2c Access by IP8.2.3.1. Read-only access8.2.3.2. Read/write access8.2.4. SNMP Read/Write and TFTP8.2.5. Limiting SNMP v1 and v2c Access with Views8.3. Securing SNMP v38.3.1. No Authentication/No Encryption8.3.2. Authentication/No Encryption8.3.3. Authentication/Encryption8.3.4. Limiting SNMP v3 Access by IP8.3.5. Limiting SNMP v3 Output with Views8.4. SNMP Management Servers8.5. SNMP Security Checklist
9. Secure Routing and Antispoofing
9.1. Antispoofing9.1.1. Ingress and Egress Filtering9.1.1.1. Ingress9.1.1.2. Reserved and private networks9.1.1.3. Egress9.1.2. Unicast Reverse Packet Forwarding9.2. Routing Protocol Security9.2.1. Static Routing9.2.2. Authentication9.2.2.1. RIP v29.2.2.2. EIGRP9.2.2.3. OSPF9.2.2.4. BGP9.2.3. Passive Interfaces9.2.3.1. Passive interfaces9.2.3.2. OSPF and EIGRP passive interfaces9.2.4. Route Filtering9.2.4.1. Global filtering9.2.4.2. Per-interface filtering9.2.4.3. Filtering at network borders9.3. Routing Protocol and Antispoofing Checklist

10. NTP
10.1. NTP Overview10.2. Configuring NTP10.2.1. Central Server10.2.1.1. Existing timeserver10.2.1.2. Synchronized router as a timeserver10.2.1.3. Unsynchronized router as a timeserver10.2.2. Flat10.2.3. Hierarchical10.2.4. NTP Options10.2.4.1. Preferred server10.2.4.2. ntp max-associations10.2.4.3. ntp disable10.2.5. Time Zones10.2.6. Viewing Status10.2.7. Access Lists10.2.8. NTP Source Address10.2.9. Authentication10.3. NTP Checklist
11. Logging
11.1. Logging in General11.2. Router Logging11.2.1. Timestamps11.2.2. Console Logging11.2.2.1. Changing the console logging level11.2.2.2. Disabling console logging11.2.3. Buffered Logging11.2.4. Terminal Monitor11.2.5. syslog11.2.5.1. syslog facilities11.2.5.2. Configuring syslog logging11.2.5.3. syslog sequence numbers11.2.5.4. Throttling syslog messages11.2.6. SNMP Traps11.3. ACL Violation Logging11.3.1. Antispoofing Violations11.3.2. VTY Access Logging11.3.3. Other Services11.4. AAA Accounting11.4.1. AAA Accounting Methods11.4.2. AAA Accounting Types11.4.3. AAA Accounting Configurations11.4.3.1. Accounting with TACACS+11.4.3.2. Accounting with RADIUS11.4.3.3. AAA authentication failure logging11.5. Logging Checklist
A. Checklist Quick Reference
A.1. Hardening Your RoutersA.2. Auditing Your RoutersA.3. Cisco Router Security ChecklistA.3.1. IOS Security (Chapter 2)A.3.2. Basic Access Control (Chapter 3)A.3.3. Password Security (Chapter 4)A.3.4. AAA Security (Chapter 5)A.3.5. Warning Banners (Chapter 6)A.3.6. Unnecessary Protocols and Services (Chapter 7)A.3.7. SNMP Security (Chapter 8)A.3.8. Routing Protocol and Antispoofing (Chapter 9)A.3.9. NTP Security (Chapter 10)A.3.10. Logging (Chapter 11)A.3.11. Physical Security (Appendix B)A.3.12. Incident Reponse (Appendix C)
B. Physical Security
B.1. Protection Against PeopleB.1.1. LocationB.1.2. DoorsB.1.3. LocksB.1.3.1. Keyed locksB.1.3.2. Mechanical locksB.1.3.3. Electronic locksB.1.3.4. Card-access locksB.1.3.5. Biometric locksB.1.3.6. Dual-factor locksB.1.4. PersonnelB.1.5. BackupsB.2. Protection Against Murphy and Mother NatureB.2.1. FireB.2.2. WaterB.2.3. HeatB.2.4. HumidityB.2.5. ElectricityB.2.6. Dirt and DustB.3. Physical Security Checklist
C. Incident Response
C.1. Warning!C.2. Keys to InvestigatingC.2.1. Change NothingC.2.2. Record EverythingC.3. Attack Versus AccidentC.4. Discover What Happened and the Scope of the IncidentC.5. Evidence PreservationC.6. Recovering from the IncidentC.7. Preventing Future IncidentsC.8. Incident Response Checklist
D. Configuration Examples
D.1. Basic Example ConfigurationD.2. AAA Example ConfigurationD.3. SNMP Example ConfigurationD.3.1. SNMP Version 2cD.3.2. SNMP Version 3D.4. HTTP Configuration
E. Resources
E.1. Web SitesE.2. Books
About the Author
Colophon
Copyright

Content preview from Hardening Cisco Routers

Chapter 7. Unnecessary Protocols and Services

Nearly all networked systems and routers have many services automatically activated for the convenience of the administrator. These features, enabled by default, often provide attackers points of entry to gather information or gain access into the router. Since each service provides a possible access point, it is important to turn off all services that are not needed or that are security risks.

ICMP

The Internet Control Message Protocol (ICMP) enhances network functionality and is invaluable for testing network connectivity and determining network paths. No one troubleshooting a network problem would want to be without the ability to ping and traceroute. ICMP also provides incredible functionality that an attacker can manipulate to collect vast amounts of information about your routers, your network topology, and the systems on your network.

It is extremely difficult to keep a determined attacker from discovering information about any system attached to the Internet. However, the recommendations that follow will make that job harder and keep casual attackers from finding your network attractive.

ICMP MTU Discovery

Many sites choose to deny all ICMP packets into and out of their networks. This solution almost works. The only ICMP message type that causes problems when disabled is maximum transfer unit (MTU) discovery. MTU discovery optimizes the size of packets between two systems. Disabling MTU can cause severe performance problems. It ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Cisco Firepower and Advanced Malware Protection LiveLessons

Omar Santos

Integrated Security Technologies and Solutions - Volume II: Cisco Security Solutions for Network Access Control, Segmentation, Context Sharing, Secure Connectivity and Virtualization

Chad Mitchell, Jamie Sanbower, Aaron Woland, Vivek Santuka

Cisco ASA: All-in-One Next-Generation Firewall, IPS, and VPN Services, Third Edition

Jazib Frahim, Omar Santos, Andrew Ossipov

CCNA Security 210-260

Omar Santos / Aaron Woland / Mason Harris

Publisher Resources

ISBN: 0596001665Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Hardening Cisco Routers

by Thomas Akin

Chapter 7. Unnecessary Protocols and Services