NETWORK SECURITY

  • 03/28/2016
    7:00 AM
  • Rating: 
    1 vote
    +
    Vote up!
    -
    Vote down!

Securing A Cisco Router: The Basics

Don't leave your Cisco device exposed on the Internet. Take these steps for basic security.

While installing a new Cisco router for a client recently, I was a bit surprised that there was no firewall. I asked if the router was configured with some of the basic security settings to keep curious eyes from prying. The client’s IT administrators said they hadn’t thought of it and weren’t too concerned. When they showed me the router configuration, all sorts of red flags went up. I tried to figure out how to make them understand how vulnerable the lack of Cisco security precautions made the organization and how to fix the problem.

I suggested that since this router won’t be live for a few more days, let’s conduct an experiment. I would use a couple of basic Cisco IOS configuration commands to somewhat secure the routers and we would review the logs in the morning. Specifically, I used the Cisco Login Block feature, which essentially blocks your IP address if there are a specified number of incorrect login attempts. I then used a free syslogger and configured the router to log all events to our computer so we could better sort and filter out any events that were reported over the evening.

As you can see below, there were a lot of curious eyes poking around the router. (The 10.44.10.94 at the top was us testing.)

 

After the IT admins saw the log, they were convinced and agreed that the router should have some basic protection.

I understand this site is one of many small remote offices the client supports and the time and money required to put a firewall at every location would not be feasible. Even if they had the money and equipment, that kind of protection would take an extremely long time to implement. However, router configuration changes are easy to make remotely and in an automated fashion.

So here are some of the basic steps that I think you should consider when configuring a Cisco device facing an untrusted network, assuming you may need these protocols on the interior:

  • Disable or block Telnet or SSH
  • Use Cisco Login Block
  • Disable or block SNMP

From the interior side of the device:

  • Centralize log collection and monitoring
  • Make sure your secret and username passwords are encrypted in your configuration
  • Disable unused services
  • Limit access with ACLs
  • Use encrypted protocols like HTTPS and SSH

This would be the minimum configuration for Cisco devices. Most of these tips can be applied to non-Cisco routers as well, but and you should always consult your  vendor to see if it has more specific information. Moreover, Cisco has a lot of documentation for hardening your IOS devices.

At my client’s site, after configuring the router, we remotely tried pinging, Telnetting/SSH and using HTTPS to prove that the router won’t respond to the requests. With the syslog server collecting events, the IT team has a way to monitor the router and enjoy some peace of mind that the more obvious hacking techniques will not work with the router.

Learn more about protecting your IT infrastructure in the Security Track at Interop Las Vegas this spring. Don't miss out! Register now for Interop, May 2-6, and receive $200 off.


Comments

How about keeping the Router Switched Off when not in Use?

Tony,

I liked your list of all Basic Precautions to take (to prevent Unauthorized Access) but would like to add one of the most basic ones-Switching off the router when its not in use.

Especially for remote offices and small offices ;usually they are used only for 30-40 hours/week while remaining totally shut rest of the time.

Why leave the routers on in the first place???

Think of the amount in Electricity Bills that such measures can save!

Apart from the basic issue of keeping track of Logs I think this is the issue where Offices can gain the most very easily with limited risks.

Re: How about keeping the Router Switched Off when not in Use?

funny you should mention that. I do that for certain situations but didn't think it would apply to this audience. for one company I literally installed a timer connected to the router/network equipment.

thanks for the feedback.

Re: How about keeping the Router Switched Off when not in Use?

thanks for the feedback and additional information

Seems to be a typo in your article

Hi

Just letting you know that it seems to be a typo in the article.
"Disable or block Telnet or SSH"

Shouldn't it be "Disable or block Telnet and SSH"?

Re: Seems to be a typo in your article

it could go either way, but I meant 'or'.
thanks for the feedback.

Re: Seems to be a typo in your article

I know it could go both ways but anything with telnet should be blocked against an untrusted network. SSH is ok for most uses on untrusted networks as long as you can limit the access with access-lists.

Not sure if you should DISABLE it...

First of all, in some cases you cannot enable SSH, if IOS image does not support it. But it's definitely better to have SSH rather than TELNET.

Then... If you don't use some services, for example, SNMP, you need to disable it. However it's better to limit, who can use these services.

For example, you may have SSH or TELNET (or SNMP, etc.) enabled, but limited to who will it respond. Just create a standard access list with one IP address (where your management traffic may come). For example, if this router sits between the Internet and your firewall, and you are behind this firewall, then when you connect to this router for management purpose, you will be sourced with the firewall IP address (or addresses). Just allow that as a source for SSH or SNMP, and all other requests will be blocked.

Also, you may block or completely disable ICMP traffic (or allow only certain ICMP type, plus limit it with an access list).

Also, check other things that are not critical... Do "service ?" in the configuration mode, and if you don't recognize certain protocols or features, disable it (or do "show run all", which in most cases will show you FULL config with all "default" configuration features, which may not be shown in a regular "show run"

Good luck,

Mike / CCNP, CCDP, CCVP, CCSP, Security+, MCSE, etc.
www.headsetadapter.com

Re: Not sure if you should DISABLE it...

thanks for the great feedback Mike

Re: Not sure if you should DISABLE it...

thanks for the great feedback Mike

Securing A Cisco Router: The Basics

In this article i will come up with eight steps, smooth to comply with.
1- manage get entry to on your router;
2- restrict telnet access to it;
three- Block Spoof/Malicious packets;
4- restrict SNMP;
five- Encrypt all passwords;
6- Disable all unused services;
7- add a few protection alternatives;
eight- Log the whole thing;

Re: Securing A Cisco Router: The Basics

thanks for sharing

Securing A Cisco Router: The Basics

setting the security in your Linksys router helps keep your wireless community safe from unauthorized access. these protection options are built along with your Linksys router to provide and maintain your network's security, and provide you with selections relying on what degree of safety you want to use.

There are 3 (3) foremost options in setting up security features for your network:

enabling WEP or WPA/WPA2 wireless safety key or password at the router
allowing wireless MAC filter
Disabling the SSID Broadcast of the router