1 / 52

Router Hardening

Router Hardening. Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004. Introduction. Types of Routers Unnecessary Services Password Management Interactive Access IP Routing. Introduction. Warning Banners SNMP Security Logging Requirements General Requirements

london
Download Presentation

Router Hardening

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Router Hardening Nancy Grover, CISSP ISC2/ISSA Security Conference November 2004

  2. Introduction • Types of Routers • Unnecessary Services • Password Management • Interactive Access • IP Routing

  3. Introduction • Warning Banners • SNMP Security • Logging Requirements • General Requirements • Router Threat Management

  4. Types of Routers • Boundary or edge routers • Interior routers • Backbone routers • Aggregate routers or hub routers

  5. Types of Routers • Interior routers provide connectivity within a routing domain.

  6. Types of Routers • Backbone routers provide connectivity between routing domains.

  7. Types of Routers • Aggregate routers and hub routers are used to combine a large number of connections into a fewer number of high bandwidth connections.

  8. Types of Routers • A boundary or edge router refers to a router that sits between one or more networks that are of different security domains. • These routers require a higher level of security.

  9. Unnecessary Services • TCP & UDP Small Servers need to be disabled on the router.

  10. Unnecessary Services • These services can be disabled with the commands: no service tcp-small-servers no service udp-small-servers • Note: Small services are disabled by default in Cisco IOS 12.0 and later software.

  11. Unnecessary Services • Boundary/edge routers should have Cisco Discovery Protocol (CDP) disabled.

  12. Unnecessary Services • The CDP protocol can be disabled with the global configuration command: no cdp running • CDP can be disabled on a particular interface with: no cdp enable

  13. Unnecessary Services • HTTP access should disabled on the router, especially on a boundary/edge router.

  14. Unnecessary Services • Finger should be disabled on the router. • The finger service can be disabled with the command: no service finger

  15. Unnecessary Services • The RSH and RCP services must be restricted by IP address. • If the services are not needed, they must be disabled.

  16. Unnecessary Services • These services can be disabled with thecommands: no ip rcmd rcp-enable no ip rcmd rsh-enable • Note: These commands are disabled by default in Cisco IOS 12.0 and later.

  17. Password Management • The service password encryption command should be enabled to provide minimum protection for configured passwords.

  18. Password Management • As a global default, use the command: service password encryption • Note: Thiscommand directs the IOS software to encrypt passwords, CHAP secrets, and similar data saved in its configuration file.

  19. Password Management • The enable secret command is used to set the password granting privileged administrative access to the IOS system.

  20. Password Management • All system installation, maintenance, and default passwords supplied by vendors must be changed. • Passwords should follow the password complexity guidelines outlined in your company’s security policies.

  21. Interactive Access • tty console and auxiliary access should be controlled with both a user ID and password stored in a local file on the router. • Note: All tty access should use either TACACS+ or a RADIUS server for authentication.

  22. Interactive Access • Reverse telnet sessions to console and auxiliary tty lines should be disabled. • Disable reverse telnet sessions on tty lines by using the command: transport input none

  23. Interactive Access • vty access to the router should be controlled by both a user ID and password when logging into the router. • Note: All vty access should use either a TACACS+ or a RADIUS server for authentication.

  24. Interactive Access • vty lines should be configured to accept connections only from those protocols actually needed.

  25. Interactive Access • Usethe transport input command to restrict the protocols accepted by the vty lines.

  26. Interactive Access • Access to at least one vty line should be restricted to an IP or IP range to protect against Denial of Service Attacks. • The ip access-class command can be used to restrict the IP addresses.

  27. Interactive Access • Timeouts should be configured on all vty lines, based on your company’s timeout policy. • Use the exec-timeout command to configure timeouts on vty lines.

  28. IP Routing • Routers should have IP source routing disabled. • Disable IP source routing as a global default with the no ip source-routecommand.

  29. IP Routing • All directed broadcasts should be disabled on all router interfaces.

  30. IP Routing • Use the no ip directed-broadcast command to prevent directed broadcasts that could “explode” into link-layer broadcasts. • Note: directed broadcasts are disabled by default in Cisco IOS 12.0 and later.

  31. IP Routing • Boundary/edge routers, in particular, should filter ICMP redirects. • Use access lists to block ICMP redirects. • Note: All boundary routers should block ICMP redirects to prevent Denial of Service attacks.

  32. IP Routing • If the router is Internet facing or a boundary/edge router, apply anti-spoofing access lists on all inbound Internet/external facing interfaces.

  33. IP Routing • Note: Anti-spoofing access lists should block: • Publicly owned internal address space • All RFC1918 private addresses • IP addresses with a source address of a router interface • 127.0.0.0 (loopback)

  34. Warning Banner • Is the company’s warning banner displayed to anyone logging into the router? • Note: Use the banner login command to configure the warning banner.

  35. SNMP Security • SNMP community strings should adhere to your company’s password complexity guidelines.

  36. SNMP Security • The read only community string should be different than the read/write community string. • Note: If possible, periodic polling should be done on the read only community string.

  37. SNMP Security • The read/write community string should be reserved for write operations ONLY, while the read only community strings should be reserved for read access.

  38. SNMP Security • Access lists should be employed to restrict SNMP to the IP addresses of management stations only.

  39. Logging Requirements • System logging should be enabled and the information saved to both a local buffer and a syslog server.

  40. Logging Requirements • If using TACACS+ and/or RADIUS protocols, AAA logging should be enabled and saved to the RADIUS or TACACS+ Server.

  41. Logging Requirements • If router is using a real-time clock or is running NTP, all log entries should be time-stamped.

  42. Logging Requirements • To show time-stamps, use the command: service timestamps log datetime localtime show-timezone

  43. Logging Requirements • All logging information should be retained for a minimum of 90 days, or for the time specified in your company’s policy.

  44. Logging Requirements • System logs must be protected from unauthorized access, and frequently reviewed for unusual or suspicious events.

  45. General Requirements • Establish a procedure to load appropriate IOS security patches, keeping the IOS level current.

  46. General Requirements • Physical access to the router and its components must be strictly controlled.

  47. General Requirements • Back-up and contingency processes for each router need to be documented and in place.

  48. General Requirements • There should be a method to receive and distribute vendor and other security advisories to the appropriate people in your company

  49. Router Threat Management • Threat Warning – Inform technology SME’s of a newly identified threat. • Threat Plan – Provide specific remediation information to SMEs. • Alert – Send urgent threat information and remediation plans to all System Administrators.

  50. Router Threat Management • Critical T-0: Immediate risk. Patching must begin immediately. • Critical T-7: Testing and installation of patches is expected on all impacted systems within 7 days. • Important T-30: Patches expected to be tested and installed within 30 days. • Informational: General awareness threat issue.

More Related