By default, the Cisco IOS runs some services that are unnecessary to its normal operation, and if you don’t disable them, they can be easy targets for denial-of-service (DoS) attacks and break-in attempts.
DoS attacks are the most common attacks because they are the easiest to perform. Using software and/or hardware tools such as an intrusion detection system (IDS) and intrusion prevention system (IPS) tools can both warn and stop these simple, but harmful, attacks. However, if we can’t implement IDS/IPS, there are some basic commands we can use on our router to make them more safe. Keep in mind, though, that nothing will make you completely safe in today’s networks.
Let’s take a look at the basic services we should disable on our routers.
The Cisco IOS default configurations permit remote access from any source, so unless you’re either way too trusting or insane, it should be totally obvious to you that those configurations need a bit of attention. You’ve got to restrict them. If you don’t, the router will be a pretty easy target for an attacker who wants to log in to it. This is where access lists come into the game—they can really protect you.
If you place the following command on the serial0/0 interface of the perimeter router, it’ll stop any SNMP packets from entering the router or the DMZ. (You’d also need to have a permit
command along with this list to really make it work, but this is just an example.)
Lab_B(config)#access-list 110 deny udp any any eq snmp
Lab_B(config)#interface s0/0
Lab_B(config-if)#access-group 110 in
In case you don’t know this already, small services are servers (daemons) running in the router that are quite useful for diagnostics. And here we go again—by default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP services, including echo, chargen, and discard.
When a host attaches to those ports, a small amount of CPU is consumed to service these requests. All a single attacking device needs to do is send a whole slew of requests with different, random, phony source IP addresses to overwhelm the router, making it slow down or even fail. You can use the no
version of these commands to stop a chargen attack:
Lab_B(config)#no service tcp-small-servers
Lab_B(config)#no service udp-small-servers
Finger is a utility program designed to allow users of Unix hosts on the Internet to get information about each other:
Lab_B(config)#no service finger
This matters because the finger
command can be used to find information about all users on the network and/or the router. It’s also why you should disable it. The finger
command is the remote equivalent to issuing the show users
command on the router.
Here are the TCP small services:
Echo Echoes back whatever you type. Type the command telnet x.x.x.x echo ?
to see the options.
Chargen Generates a stream of ASCII data. Type the command telnet x.x.x.x chargen ?
to see the options.
Discard Throws away whatever you type. Type the command telnet x.x.x.x discard ?
to see the options.
Daytime Returns the system date and time, if correct. It is correct if you are running NTP or have set the date and time manually from the EXEC level. Type the command telnet x.x.x.x daytime ?
to see the options.
The UDP small services are as follows:
Echo Echoes the payload of the datagram you send.
Discard Silently pitches the datagram you send.
Chargen Pitches the datagram you send and responds with a 72-character string of ASCII characters terminated with a CR+LF.
Again, by default, the Cisco router also offers the BootP service as well as remote auto- configuration. To disable these functions on your Cisco router, use the following commands:
Lab_B(config)#no ip boot server
Lab_B(config)#no service config
The ip http server
command may be useful for configuring and monitoring the router, but the cleartext nature of HTTP can obviously be a security risk. To disable the HTTP process on your router, use the following command:
Lab_B(config)#no ip http server
To enable an HTTP server on a router for AAA, use the global configuration command ip http server
.
The IP header source-route option allows the source IP host to set a packet’s route through the IP network. With IP source routing enabled, packets containing the source-route option are forwarded to the router addresses specified in the header. Use the following command to disable any processing of packets with source-routing header options:
Lab_B(config)#no ip source-route
Proxy ARP is the technique in which one host—usually a router—answers ARP requests intended for another machine. By “faking” its identity, the router accepts responsibility for getting those packets to the “real” destination. Proxy ARP can help machines on a subnet reach remote subnets without configuring routing or a default gateway. The following command disables proxy ARP:
Lab_B(config)#interface fa0/0
Lab_B(config-if)#no ip proxy-arp
Apply this command to all your router’s LAN interfaces.
ICMP redirect messages are used by routers to notify hosts on the data link that a better route is available for a particular destination. To disable the redirect messages so bad people can’t draw out your network topology with this information, use the following command:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip redirects
Apply this command to all your router’s interfaces. However, just understand that if this is configured, legitimate user traffic may end up taking a suboptimal route. Use caution when disabling this command.
The no ip unreachables
command prevents the perimeter router from divulging topology information by telling external hosts which subnets are not configured. This command is used on a router’s interface that is connected to an outside network:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip unreachables
Again, apply this to all the interfaces of your router that connect to the outside world.
The multicast route cache lists multicast routing cache entries. These packets can be read, and so they create a security problem. To disable the multicast route caching, use the following command:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no ip mroute-cache
Apply this command to all the interfaces of the router. However, use caution when disabling this command because it may slow legitimate multicast traffic.
The Maintenance Operation Protocol (MOP) works at the Data Link and Network layers in the DECnet protocol suite and is used for utility services like uploading and downloading system software, remote testing, and problem diagnosis. So, who uses DECnet? Anyone with their hands up? I didn’t think so. To disable this service, use the following command:
Lab_B(config)#interface s0/0
Lab_B(config-if)#no mop enabled
Apply this command to all the interfaces of the router.
Packet assembler/disassembler (PAD) connects asynchronous devices like terminals and computers to public/private X.25 networks. Since every computer in the world is pretty much IP savvy, and X.25 has gone the way of the dodo bird, there is no reason to leave this service running. Use the following command to disable the PAD service:
Lab_B(config)#no service pad
The Nagle TCP congestion algorithm is useful for small packet congestion, but if you’re using a higher setting than the default MTU of 1,500 bytes, it can create an above-average traffic load. To enable this service, use the following command:
Lab_B(config)#service nagle
It is important to understand that the Nagle congestion service can break X Window connections to an X server, so don’t use it if you’re using X Window.
Used as a syslog server, the Cisco ACS server can log events for you to verify. Use the logging trap debugging
or logging trap level
command and the logging ip_address
command to turn this feature on:
Lab_B(config)#logging trap debugging
Lab_B(config)#logging 192.168.254.251
Lab_B(config)#exit
Lab_B#sh logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 15 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Trap logging: level debugging, 19 message lines logged
Logging to 192.168.254.251, 1 message lines logged
The show logging
command provides you with statistics of the logging configuration on the router.
Cisco Discovery Protocol (CDP) does just that—it’s a Cisco proprietary protocol that discovers directly connected Cisco devices on the network. But because it’s a Data Link layer protocol, it can’t find Cisco devices on the other side of a router. Plus, by default, Cisco switches don’t forward CDP packets, so you can’t see Cisco devices attached to any other port on a switch.
When you are bringing up your network for the first time, CDP can be a really helpful protocol for verifying it. But since you’re going to be thorough and document your network, you don’t need the CDP after that. And because CDP does discover Cisco routers and switches on your network, you should disable it. You do that in global configuration mode, which turns off CDP completely for your router or switch:
Lab_B(config)#no cdp run
Or, you can turn off CDP on each individual interface using the following command:
Lab_B(config-if)#no cdp enable
When you use the ip helper-address
command as follows on an interface, your router will forward UDP broadcasts to the listed server or servers:
Lab_B(config)#interface f0/0
Lab_B(config-if)#ip helper-address 192.168.254.251
You would generally use the ip helper-address
command when you want to forward DHCP client requests to a DHCP server. The problem is that not only does this forward port 67 (BootP server request), it forwards seven other ports by default as well. To disable the unused ports, use the following commands:
Lab_B(config)#no ip forward-protocol udp 69
Lab_B(config)#no ip forward-protocol udp 53
Lab_B(config)#no ip forward-protocol udp 37
Lab_B(config)#no ip forward-protocol udp 137
Lab_B(config)#no ip forward-protocol udp 138
Lab_B(config)#no ip forward-protocol udp 68
Lab_B(config)#no ip forward-protocol udp 49
Now, only the BootP server request (67) will be forwarded to the DHCP server. If you want to forward a certain port—say, TACACS+, for example—use the following command:
Lab_B(config)#ip forward-protocol udp 49
Okay, so ACLs seem like a lot of work and so does turning off all those services I just discussed. But you do want to secure your router with ACLs, especially on your interface connected to the Internet. However, you are just not sure what the best approach should be, or maybe you just don’t want to miss happy hour with your buddies because you’re creating ACLs and turning off default services all night long.
Either way, Cisco has a solution that is a good start, and it’s darn easy to implement. The command is called auto secure
, and you just run it from privileged mode as shown:
R1#auto secure
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance
security and any possible side effects, please refer to Cisco.com
for Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: [enter]
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES NVRAM up up
Serial0/0 1.1.1.1 YES NVRAM down down
FastEthernet0/1 unassigned YES NVRAM administratively down down
Serial0/1 unassigned YES NVRAM administratively down down
Enter the interface name that is facing the internet: serial0/0
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.
Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:
#
If you are not part of the www.globalnettc.com domain, disconnect now!
#
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: [password not shown]
% Password too short - must be at least 6 characters. Password configuration
failed
Enter the new enable secret: [password not shown]
Confirm the enable secret : [password not shown]
Enter the new enable password: [password not shown]
Confirm the enable password: [password not shown]
Configuration of local user database
Enter the username: Todd
Enter the password: [password not shown]
Confirm the password: [password not shown]
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: ?
% A decimal number between 1 and 32767.
Blocking Period when Login Attack detected: 100
Maximum Login failures with the device: 5
Maximum time period for crossing the failed login attempts: 10
Configure SSH server? [yes]: [enter to take default of yes]
Enter the domain-name: lammle.com
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet
Configure CBAC Firewall feature? [yes/no]:
Configure CBAC Firewall feature? [yes/no]: no
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: yes
And that’s it—all the services I mentioned earlier are disabled, plus some! By saving the configuration that the auto secure
command created, you can then take a look at your running-config to see your new configuration. It’s a long one!
Although it is tempting to run out to happy hour right now, you still need to verify your security and add your internal access-list configurations to your intranet.