Sie sind auf Seite 1von 13

Essential Layer 3 Router Hardening Guide

Gary Freeman Yuri Kopylovski 2005

Table Of Contents
1.
1.1. 1.2. 1.3. 1.4. 1.5. 1.6.

INTRODUCTION
DOCUMENT PURPOSE LIMITATIONS EXCLUSIONS INTENDED AUDIENCE THREATS MITIGATED DEFINITIONS

2.
2.1. 2.2. 2.3. 2.4. 2.5. 2.6.

ROUTER ACCESS SECURITY


LOGIN BANNER CONSOLE PORT ACCESS NETWORK INTERFACES AUXILIARY PORT ACCESS IN-BAND ROUTER MANAGEMENT ACCESS USER AUTHENTICATION AND AUTHORIZATION

3.
3.1. 3.2. 3.3.

ROUTER NETWORK SERVICES SECURITY


TCP SERVICES CONFIGURATION UDP SERVICES CONFIGURATION IP SERVICES CONFIGURATION

4.
4.1. 4.2. 4.3.

ACCESS CONTROL LISTS, FILTERING AND RATE LIMITING


GENERAL ACCESS CONTROL LISTS (ACLS) FILTERING NETWORK TRAFFIC RATE LIMITING TRAFFIC

5.
5.1. 5.2. 5.3.

ROUTING PROTOCOLS
GENERAL ROUTING SECURITY OSPF SECURITY EIGRP SECURITY

6.
6.1. 6.2. 6.3. 6.4. 6.5.

AUDIT AND MANAGEMENT


ROUTER LOGGING TIME SYNCHRONIZATION NETWORK MONITORING ROUTER SOFTWARE MAINTENANCE ROUTER CONFIGURATION MANAGEMENT

7. 8. 9.

APPENDIX A - CISCO ROUTER HARDENING TEMPLATE APPENDIX B ROUTER HARDENING CHECKLIST REFERENCES AND CONTRIBUTIONS

Introduction
Document Purpose
The purpose of this document is to get dirty and detail the minimum functional security requirements of internal, enterprise Layer 3 Routers (not Internet routers!). This documents intention is to provide the hardening guidelines for routers that exist within a trusted (tee-hee) network environment. The document provides generic guidelines for best practices and can be used or modified to best fit your corporate standards (just give us some credit in your references, ok?).

Limitations
This document addresses Layer 3 router hardening with the following limitations:

a. Provides best-practices when hardening routers situated on internal, trusted networks (I use trusted lightly). b. Only provides hardening for two routing protocols; EIGRP and OSPF, as this is all I have experienced in the past. If you guys are using
BGP or RIPv2 in a large corporate environment, well, this guide wont help you learn the fundamentals of network design either (LOL).

c. Provides generic hardening guidelines that can be used for most common enterprise routers such as Cisco, Nortel and Foundry
(suppose it could be applied to a computer running a router daemon too).

d. Only provides hardening scripts for Cisco IOS routers (sorry folks, I have my own limitations). e. I know many of you who know Cisco IOS will look through the generic best-practices sections and say what about CDP? or Why doesnt
he address hardening HSRP or enabling NetFlow?. Well, it has already been stated, this guide tries to address generic security for any router make or model. The template Ive provided in the appendix is just a bonus as Im trying to illustrate how these generic bestpractices can be applied to a Cisco router. There are a lot of other Cisco-specific features that can be used to perform some of the hardening discussed in this document.

Exclusions
This document is not intended to provide security for Internet-facing routers! Hardening guides for routers operating between un-trusted (Internet) and trusted (corporate) perimeters have already been discussed in detail with such guides as NSA Router Security Configuration Guide and the Secure IOS Template created by Rob Thomas.

Intended Audience
This guide was written for security analysts and network administrators whose day-to-day jobs included installation, configuration and maintenance of enterprise network routers. This document will supplement their skill sets and provide guidance for operational hardening of existing network router configurations (I hope).

Threats Mitigated
The routers within enterprise networks provide critical point-to-point connectivity with key business sites and route inter-VLAN traffic across the corporate backbone. This hardening guide refers to router interfaces that reside safely within a trusted or semi-trusted corporate network. Therefore, these best-practices address the following:

Trust-based attacks from within the network Integrity of routing protocols DoS or DDoS traffic management and exposure Secure management of devices

NOTE: I use the term trusted network in this document as a metaphor to express a security control point and not the literal state of the corporations security threat model. The trusted network usually refers to that which is governed and enforced by a corporate security policy and administered by trust-worthy individuals (I hope).

Definitions
AAA ACL ARP Bogon Addresses Authentication Authorization and Accounting Access Control List Address Resolution Protocol The areas of reserved or unallocated Internet Assigned Numbers Authority (IANA) IP address space. The word "Bogon" originates as hacker jargon for addresses that are considered the quantum of "bogosity". Committed Access Rate used by Cisco as a QoS mechanism Distributed Denial of Service Denial of Service Routing Protocol - Enhanced Interior Gateway Routing Protocol Internet Control Message Protocol Institute Of Electrical and Electronics Engineers Local Area Network Media Access Control Network Time Protocol Routing Protocol - Open Shortest Path First Quality of Service Simple Network Management Protocol Secure Shell Terminal Access Control Access Control System Transport Control Protocol User Datagram Protocol Virtual Private Network Wide Area Network Referring to Layer 3 of the OSI model (Network) which handles routing, forwarding, addressing,

CAR DDoS DoS EIGRP ICMP IEEE LAN MAC NTP OSPF QoS SNMP SSH TACACS+ TCP UDP VPN WAN Layer 3

Routing Protocol Routed Protocol HSRP VRRP In-Band Sinkhole Routing Black-hole Routing

error handling, congestion control and sequencing Software that is used to move data across two or more networks after determining the best path Data that can effectively be transmitted across routers on a data network (IP, SNMP, RPC, etc) Hot-Standby Routing Protocol Cisco proprietary HA solution which minimizes single point of failures with static default gateways routers only Virtual Redundancy Routing Protocol RFC 3768, generic HA solution which minimizes single point of failures with static default gateways and serves more than just routers Usually refers to administration using Telnet or SSH console over the LAN to device is connected to, as opposed to out-of-band via console access. Allows administrators to forward all malicious traffic to a single host for examination. Allows administrators to forward all malicious traffic to a NULL IP address or drop the traffic.

Router Access Security


Login Banner
A device banner communicates that the network router is a restricted device. All network routers should have a login banner configured, viewable to anyone connecting in-band. The login banner should provide the following functionality:

a. Inform users that access to the device is restricted to authorized personnel, and, b. Deter potential intruders by providing legal notice of prosecution resulting from unauthorized access, and, c. Must not reveal the company name or the type of device hosting the banner message.
NOTE: A banner for network routers should be approved by your corporate Legal Department so you dont say anything that the legal beagles take offense to or jeopardizes the corporate brand. Example: WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties.

Console Port Access


All network routers should have the following console port restrictions:

a. Router console ports should be configured to authenticate connections using an AAA authentication scheme such as TACACS (RFC
1942). This ensures that all users passwords are left on a central UNIX AAA Server in an encrypted format that is non-reversible and all access to the router is audited by AAA.

b. Router console ports should be configured with a fall-back method to authenticate connections using a local password in the event that
the AAA authentication scheme is unavailable. This should never be used as the primary means as some vendors local passwords are reversible and can be cracked (think Cisco!).

c. Router console ports should be configured to logout connected sessions automatically after five (5) minutes of inactivity. This mitigates
the threat of an administrator leaving their workstation unlocked with an established console connection to a router that could invite bad guys.

d. Router console ports should not be configured to permit any inbound transport protocols such as telnet, reverse-telnet, rlogin or SSH
(since out-of-band wont be used anyway).

e. Router console ports should be configured to disable modem support or other out-of-band equipment unless permitted explicitly in a
corporate security policy. War-dialing could expose the equipment to outside attackers arbitrarily calling a block a phone numbers.

Network Interfaces
All router network interfaces should be shutdown and should not be configured with an IP Address if not operationally in use. This mitigates the threat of internal users connecting anything to the network and causing an unintentional denial of service with such things as secondary VRRP or HSRP flapping, layer 2 spanning-tree loops, etc.

Auxiliary Port Access


Auxiliary ports should not be used in the enterprise network and should be disabled. All network routers should have these auxiliary port restrictions:

a. Router auxiliary ports should be configured to logout connected sessions immediately as the port is not to be used. If some transport
such as Telnet was enabled on the AUX port accidentally, then this extra measure would log-out any attempts to connect to the port immediately.

b. Router auxiliary ports should not be configured to permit any inbound transport protocols such as telnet, reverse-telnet, rlogin or SSH. c. Router auxiliary ports should be configured to restrict users from executing any router privileged commands. Again, if the two previous
conditions were to be overridden for any reason this is yet another safeguard to ensure a user session could not do anything malicious.

d. Router auxiliary ports should be configured to disable modem support or other out-of-band equipment unless permitted explicitly in a
corporate security policy. War-dialing could expose the equipment to outside attackers arbitrarily calling a block a phone numbers.

In-Band Router Management Access


All network routers should have these in-band management port restrictions:

a. Router management ports should be configured to authenticate connections using an AAA authentication scheme such as TACACS
(RFC 1942). This ensures that all users passwords are left on a central UNIX AAA Server in an encrypted format that is non-reversible and all access to the router is audited by AAA.

b. Router management ports should be configured to use fall-back method to authenticate connections using a local password in the event
that the AAA authentication scheme is unavailable. This should never be used as the primary means as some vendors local passwords are reversible and can be cracked (think Cisco!).

c. Router management ports should be configured to logout connected sessions automatically after five (5) minutes of inactivity. This
mitigates the threat of an administrator leaving their workstation unlocked with an established connection to a router that could invite bad guys.

d. Router management ports should not be configured to permit any outbound transport protocols such as telnet, reverse-telnet, rlogin or
SSH. This reduces the risk of router-hopping or connecting from the router to other UNIX systems.

e. Router management ports should be configured to only permit SSH v2 as the preferred inbound transport protocol. f.
Router management ports should be configured to bind the outbound SSH, Telnet and TFTP services to the primary loopback interface of the router. This is especially useful in identifying the router that the connection was made from as the loopback address is usually what is configured in DNS as the management address of the router. permitting only network management servers to connect and no other network equipment or workstations. Hopping from one device to another should not be permitted.

g. Router management ports should be configured to drop unauthorized connections to the SSH service using an access control lists (ACL),

h. All access attempts (permitted or failed) to the router in-band management ports should be logged via the access control list (ACL). i.
Router management ports should be configured to detect and drop any orphaned (broken) TCP connections to the management interface that have accidentally been left idle. This will free up the ports to be used by other management connections.

User Authentication and Authorization


All network routers should adhere to the following user authentication and authorization restrictions:

a. Routers should be configured to authenticate users using an AAA authentication scheme such as RADIUS or TACACS before any
administrative access is granted.

b. Routers should be configured to allow only one local login account (line passwords or local user database) in the event that AAA is
unavailable. However, this should not be the primary or only authentication scheme on any production router.

c. All local passwords or user database passwords should be encrypted using an MD5 hashing algorithm. d. All local passwords should be a minimum of eight characters long and with a combination of six (6) alphabet characters and a minimum
of two (2) numbers

e. All local passwords should be changed every four months or when any employee or contractor with knowledge of the passwords leaves
the organization.

f.

Network Management should assign user accounts with the lowest privilege level that allows router administrators to perform their duties (i.e. analyst vs. operator). or view the configuration.

g. Routers should require user authentication to connect to the router but require further authentication to execute any privileged commands h. Any password used locally on any router should not to be the same as any SNMP community string or any other shared secret. This
means, if you use a b0bbyj03 for the local password, dont use b0bbyj03 for the SNMP write string and b0bbyj03 for the TACACS shared secret (obvious, I know, but I have to say it ).

Router Network Services Security

TCP Services Configuration


All network routers should have all TCP services disabled unless required for production purposes. All network routers should adhere to the following standards regarding TCP services:

a. HTTP (TCP 80) services should be disabled on any network router as it an operational risk. If it is to be used for configuration, use an
ACL to limit who can access the service and disable the service once the router is in full production.

b. Finger (TCP 79) services should be disabled on any network router. It can be used to gather detailed information about the users that are
logged into the system.

c. *Bootps (TCP 67) services should be disabled on any network router. d. *Echo (TCP 7) services should be disabled on any network router. e. *Chargen (TCP 19) services should be disabled on any network router. f.
*Discard (TCP 9) services should be disabled on any network router.

g. *Daytime (TCP 13) services should be disabled on any network router.


* Any service lower than TCP port 20 is referred to as TCP small services and should be disabled as they could be used effectively to carry out denial of service attacks.

UDP Services Configuration


All network routers should adhere to the following standards regarding UDP services:

a. *Echo (UDP 7) services should be disabled on any network router. b. *Chargen (UDP 19) services should be disabled on any network router. c. *Discard (UDP 9) services should be disabled on any network router.
* Any service lower than UDP port 20 is referred to as UDP small services and should be disabled as they could be used effectively to carry out denial of service attacks.

IP Services Configuration
All network routers should adhere to the following standards regarding IP services:

a. IP Source Routing should be disabled on any interface on any network router. This is an option in the IP header whereby an attacker
could define his or her own source route and the router will forward the packet to the given destination. This is used by IP spoofed attacks.

b. Proxy ARP should be disabled on any interface on any network router. Relying on the router to provide MAC addresses and subsequent
routing to hosts without routing capabilities will result in a large MAC address table on the router, which could hinder performance.

c. IP Directed Broadcast should be disabled on any interface on any network router to mitigate the threat of SMURF attacks. d. IP Unreachable Notifications should be rate limited on any network router to only one unreachable notification per host every 500 ms. e. ICMP Mask Replies to host IP Mask Requests should be disabled on any interface on any network router to mitigate reconnaissance
sweeps of the network.

f.

ICMP Redirect messages should be disabled on any interface on any network router to mitigate system access attempts into corporate demarcations protected my ACLs.

Access Control Lists, Filtering and Rate Limiting


General Access Control Lists (ACLs)
All network routers should adhere to the following minimum standards regarding Access Control Lists:

a. All access control lists permitting connections to the router for management purposes should end with an implicit deny statement. b. All access control lists permitting connections to the router for management purposes should be configured to log any connection attempt
whether permitted or rejected by the ACL.

c. All remote in-band management connections to the router should be restricted by a standard access control list which only permits
network management hosts to connect.

d. All SNMP private and public queries against the router should be restricted by a standard access control list which only permits network
management hosts to connect.

Filtering Network Traffic


This document does not address the need to provide DoS or DDoS attack protection for Enterprise routers as in most cases firewalls are protecting the perimeter as the first level of defense from the Internet. However, infected PCs and malicious corporate users could cause havoc outbound to the Internet or across WAN interfaces if controls arent in place to mitigate some of the obvious internal attacks.

a. Access control lists should be used to route any malicious corporate traffic such as connections to RFC 1918 addresses that dont exist
or any of the IANA bogon addresses and route the traffic to a black-hole or sinkhole.

b. Necessary ingress access controls should be applied to each network interface only allowing the local network to access beyond the
router interface to mitigate spoofed addresses from entering the corporate LAN/WAN.

Rate Limiting Traffic


All network routers should adhere to the following minimum standards regarding rate limiting network traffic:

a. Network bandwidth used by management traffic to manage, monitor or report on the network should have priority over any other traffic on
the network.

b. IP Unreachable Notifications should be rate limited on any network router to only one unreachable notification per host every 500 ms.

Routing Protocols
General Routing Security
All network routers should adhere to the following minimum standards regarding general routing protocol security:

a. The enterprise routing infrastructure should not extend beyond any of the enterprise perimeters. All autonomous interior gateway routing
zones should remain internal to the enterprise network.

b. The enterprise routing infrastructure should not be redistributed with any un-trusted networks such as third-parties, vendors or partners. c. Routers on the network perimeter should use static routes with redistribution into the enterprise network on trusted interfaces only. d. All IGP routing protocols chosen for the network enterprise routers should support a keyed MD5 algorithm for cryptographic
authentication. The routing protocol should use a shared secret and the routing update information to create the hash.

OSPF Security
All network routers should adhere to the following minimum standards regarding OSPF routing traffic:

a. The OSPF routing infrastructure should operate in directed mode with explicitly defined peers and should not operate in broadcast mode.
This way all OSPF routers will need to be explicitly configured to talk to OSPF neighbors. Directed mode aids in avoiding misconfiguration.

b. The OSPF routing infrastructure should be configured to authenticate routing updates between peers using an MD5 password key to
mitigate routing updates from un-trusted routers.

EIGRP Security
All network routers should adhere to the following minimum standards regarding EIGRP routing traffic:

a. Access control lists should be used in conjunction with EIGRP routing to only permit routing advertisements from trusted unicast host IP
addresses on appropriate interfaces.

b. The EIGRP routing infrastructure should be configured to authenticate routing updates between peers using an MD5 password key.

Audit and Management


Router Logging
All network routers should adhere to the following minimum standards regarding logging information:

a. Local system logging should be configured on every network router with a minimum historical buffer of one (1) business day. In the event
that the router stops communicating with the central Syslog, a local buffer of a day will assist in troubleshooting.

b. Time-stamped system log messages should be configured on every network router with the correct date and time. c. Syslog logging should be configured on every network router, sending live logging events to a minimum of two network management
servers for diversity.

d. Syslog logging should be configured to bind each routers Syslog client to the local loopback address of the router. e. SNMP trap logging should be configured on every network router, sending trap events a minimum of two network management servers
for diversity.

f.

SNMP logging should be configured to bind each routers SNMP client to the local loopback address of the router.

g. Router core dump files should be sent to a management server when the router crashes (if possible). Time Synchronization
All network routers should adhere to the following minimum standards regarding time synchronization:

a. NTP time synchronization should be configured on every network router, using primary and secondary trusted NTP servers. b. NTP time synchronization should be configured to originate from the routers loopback interface on every network router. c. NTP time synchronization should be configured for client-mode synchronization on every network router, initiating an NTP call to stratum
1 or 2 servers on the network.

Network Monitoring
All network routers should adhere to the following minimum standards regarding network monitoring:

a. SNMP v2 or greater should be used on all network routers for management purposes. b. SNMP Public and Private Community password strings should be a minimum of eight characters long and with a combination of six (6)
alphabet characters and a minimum of two (2) numbers.

c. SNMP Public and Private Community password strings should be changed on a quarterly basis on all routers or when a network
administrator leaves the organization.

d. The SNMP Public Community string configured on all network routers should be uniquely different from the SNMP Private Community
string and vice-versa.

e. All SNMP private and public queries against the router should be restricted by a standard access control list which only permits network
management hosts to connect.

Router Software Maintenance


All network routers should adhere to the following minimum standards regarding router software maintenance:

a. Router software should be updated periodically to ensure system stability and mitigate known bugs that may compromise the enterprise
network availability.

b. Router software should be updated when any security advisory dictates vulnerabilities which affect the current version of router software. c. When router software security advisories are released to the public, network administrators should provide the Security team with a list of
vulnerable routers that are affected within 24 hours preceding the advisory with dates and times that the vulnerable routers will be remediated.

d. The Security team should be informed of any workarounds that will be deployed in place of a software upgrades suggested by software
advisories. This notification to Security should be complete with the expected expiry of the workaround and timeline for the deployment of replacement router software.

e. Router software should be updated from a central network management repository having been tested on a lab router prior to
deployment.

f.

Network administrators should have written procedures for successfully upgrading and the verification of router software.

Router Configuration Management


All network routers should adhere to the following minimum standards regarding router configuration management:

a. Router configuration changes should be endorsed through appropriate change management procedures and approvals. No changes are
to be done on any production enterprise router without a change control ticket.

b. Router configuration changes should be conveyed into a text file and approved by an operations manager before being input on a live
production system. A second set of eyes can always find something that one analyst may have missed.

c. All router configurations should be backed up on a daily basis to a central repository server. This ensures that if a router is compromised
or melts under an attack, you can easily restore the configuration on a replacement.

d. Network administrators should have written procedures and templates for successfully configuring network enterprise routers. A little
justification for each feature that is enabled under particular configurations and even documented exceptions for the routers that dont follow the standard template.

Appendix A - Cisco Router Hardening Template


Item # Recommended Configuration

Section 2 - Router Access Security 2.1


! LOGIN BANNER config t banner motd = Enter TEXT message. End with the character '='. WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored, recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties. = ! CONFIGURATION FOR CONSOLE PORT ACCESS CONTROL config t line con 0 ! LINE PASSWORD AUTHENTICATION password <password - 8+ chars, 2 numbers> ! AAA SERVER AUTHENTICATION login authentication <group-password> ! DISABLE INBOUND/OUTBOUND TRANSPORT PROTOCOLS transport preferred none ! LOGOUT CONNECTION AFTER 5 MINS. OF INACTIVITY exec-timeout 5 0 ! CONFIGURATION FOR DISABLING NETWORK INTERFACES config t interface <interface id> no ip address shutdown exit ! CONFIGURATION FOR DISABLING AUX PORT ACCESS config t line aux 0 ! DISABLE INBOUND/OUTBOUND TRANSPORT PROTOCOLS transport input none ! LOGIN ATTEMPTS WILL FAIL AS THERE IS NO USER DATABASE login local ! LOGOUT CONNECTION ATTEMPTS IMMEDIATELY exec-timeout 0 0 ! RESTRICT USERS FROM EXECUTING ANY COMMANDS no exec ! CONFIGURATION FOR IN-BAND MANAGEMENT PORT ACCESS config t ! BIND OUTBOUND TELNET AND SSH SERVICES TO LOOPBACK INTERFACE ip telnet source-interface loopback0 ip tftp source-interface loopback0 ! MONITOR BROKEN TCP CONNECTIONS AND DROP ORPHANS service tcp-keepalives-in ! ACCESS LIST 5 WITH EXPLICIT DENY STATEMENT access-list 5 permit <MGMT SERVER 1> log access-list 5 permit <MGMT SERVER 2> log access-list 5 deny any log line vty 0 15 ! APPLY ACCESS LIST 5 TO THE INTERFACE

2.2

2.3

2.4

2.5

2.6

access-class 5 in ! LINE PASSWORD AUTHENTICATION password <password - 8+ chars, 2 numbers> ! AAA SERVER AUTHENTICATION login authentication <group-password> ! RESTRICT INBOUND/OUTBOUND COMMUNICATIONS TO SSH crypto key generate rsa The name for the keys will be: Router.dod.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 Generating RSA Keys ... [OK] ip ssh time-out 90 ip ssh authentication-retries 2 line vty 0 4 transport input ssh transport output telnet ssh ! LOGOUT CONNECTION AFTER 5 MINS. OF INACTIVITY exec-timeout 5 0 ! CONFIGURATION FOR USER AUTHENTICATION AND AUTHROIZATION config t ! SET LOCAL PASSWORD FOR EXECUTING COMMANDS enable secret <password - 8+ chars, 2 numbers> ! ENCRYPT LOCAL LINE PASSWORDS USING MD5 HASH service password-encryption ! REQUIRED COMMANDS TO ENABLE AAA aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login <group-password> group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host <TACACS SERVER 1> tacacs-server host <TACACS SERVER 2> tacacs-server key <tacacs password> ! ENCRYPT LOCAL LINE PASSWORDS USING MD5 HASH service password-encryption

Section 3 - Router Network Services Security 3.1


! CONFIGURATION FOR TCP SERVICES config t ! DISABLE TCP ECHO, CHARGEN, DISCARD, DAYTIME no service tcp-small-servers ! DISABLE TCP HTTP SERVER no ip http server ! DISABLE TCP FINGER SERVER no ip finger no service finger ! DISABLE TCP BOOTP SERVER no ip bootp server ! CONFIGURATION FOR UDP SERVICES config t ! DISABLE UDP ECHO, CHARGEN, DISCARD, DAYTIME no service udp-small-servers ! CONFIGURATION FOR IP SERVICES config t ! DISABLE IP SOURCE ROUTING no ip source-route ! DISABLE INTERFACE IP OPTIONS interface <interface name> no ip proxy-arp no ip directed-broadcast no ip mask-reply no ip redirect exit ! RATE LIMIT ICMP UNREACHABLE MESSAGES TO ONE EVERY 500 SECONDS ip icmp rate-limit unreachable 500 ! DISABLE CISCO DISCOVERY PROTOCOL ON UNTRUSTED INTERFACES ! MOST CISCO SHOPS PREFER TO HAVE IT RUNNING INSIDE FOR CISCOWORKS Interface Serial 0/1

3.2

3.3

description <<Vendor or 3rd Party Link>> no cdp enable

Section 4 - Access Control Lists, Filtering and Rate Limiting 4.1


! CONFIGURATION FOR ACL - SEE 2.5 FOR DETAILS ! CONFIGURE SNMP TO USE ACL 5 snmp-server community <PASSWORD> RO 5 snmp-server community <PASSWORD> RW 5 ! FILTERING NETWORK ATTACKS (Black-hole) Interface Null0 no ip proxy-arp no ip directed-broadcast no ip mask-reply no ip redirect no shut exit ip route 10.0.0.0 255.0.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route <bogon blocks and masks go here> Null0 ! FOR SINKHOLE ROUTING DEFINE ADDRESS OF ! HONEYPOT OR IPS INSTEAD OF NULL0 IN ROUTE ! ! FILTER ADDRESS SPOOFING ON LOCAL INTERFACES no access-list 190 ip access-list 190 deny ip any any log Interface FastEthernet 0/0 description <<Connect to LAN Segment>> ip verify unicast reverse-path 190 ! RATE LIMITING NETWORK MANAGEMENT TRAFFIC config t no access-list 130 ! CREATE ACL TO DEFINE MANAGEMENT TRAFFIC access-list 130 permit tcp any any eq telnet access-list 130 permit tcp any any eq ssh access-list 130 permit tcp any any eq snmp access-list 130 permit tcp any any eq syslog access-list 130 permit tcp any any eq tftp access-list 130 permit tcp any any eq tacacs no access-list 131 access-list 131 permit icmp any any echo access-list 131 permit icmp any any echo-reply ! APPLY TO LAN INTERFACES interface eth0/0 ! CONFIGURE CAR GIVING PRIORITY TO MANAGEMENT PROTOCOLS rate-limit output access-group 130 1000000 25000 50000 conform-action transmit exceed-action continue rate-limit output access-group 131 16000 8000 8000 conform-action continue exceed-action drop ! CONFIGURE CAR TO DROP EXCESSIVE NON-MANAGEMENT TRAFFIC rate-limit output 9000000 112000 225000 conform-action transmit exceed-action drop exit ! RATE LIMIT ICMP UNREACHABLE MESSAGES TO ONE EVERY 500 SECONDS ip icmp rate-limit unreachable 500

4.2

4.3

Section 5 - Routing Protocols 5.1 5.2


! GENERAL ROUTING SECURITY NO CONFIGURATION FOR CISCO ROUTERS ! OSPF SECURITY config t ! OSPF PEERS MUST BE DEFINED router ospf <process-id> neighbor <router 1 address> neighbor <router 2 address> neighbor <router 3 address> exit ! OSPF MUST NOT OPERATE IN BROADCAST MODE interface <interface name> ip ospf network non-broadcast exit ! OSPF CONFIGURATION FOR AUTHENTICATED ROUTING UPDATES router ospf <process-id> ip ospf message-digest-key 5 md5 <shared key> ! APPLY AUTHENTICATION TO EACH ZONE

5.3

area 0 authentication message-digest area 1 authentication message-digest area 2 authentication message-digest ! THE SAME MUST BE CONFIGURED ON ALL PEERS ! EIGRP SECURITY config t no access-list 104 access-list 104 permit eigrp host <remote peer router 1> <local router> access-list 104 permit eigrp host <remote peer router 2> <local router> access-list 104 deny eigrp any any log-input access-list 104 permit ip any any no access-list 105 access-list 105 deny eigrp any any log-input access-list 105 permit ip any any ! APPLY TO TRUSTED ROUTING INTERFACES interface eth 0/1 ip access-group in 104 ! APPLY TO UN-TRUSTED ROUTING INTERFACES interface serial 0/1 ip access-group in 105 ! CONFIGURE EIGRP AUTHENTICATION ip authentication mode eigrp <process #> md5 ip authentication key-chain eigrp <process #> <key name> key chain <key name> key 1 key-string <secret-key> send-lifetime 00:00:00 Oct 1 2002 00:00:00 Jan 1 2003 accept-lifetime 00:00:00 Oct 1 2002 00:00:00 Jan 7 2003 ! CONFIGURE DIFFERENT EIGRP AUTHENTICATION KEY NAMES ON EACH ROUTER

Section 6 - Audit and Management 6.1


! ROUTER LOGGING config t ! SET A 16K LOG BUFFER AT INFORMATION LEVEL logging buffered 16000 information ! TURN ON TIME/DATE STAMPS IN LOG MESSAGES service timestamp log date msec local show-timezone ! ENABLE SYSLOG LOGGING WITH NOTIFICATION LEVEL MESSAGES logging trap notification logging facility local5 ! DEFINE AT LEAST TWO TRUSTED LOGGING HOSTS logging <syslog server 1> logging <syslog server 2> ! ENSURE LOGGING ORIGINATES FROM THE ROUTER LOOPBACK INTERFACE logging source-interface loopback0 ! ENABLE SNMP WITH SYSLOG LOGGING snmp-server enable traps syslog ! DEFINE AT LEAST TWO TRUSTED SNMP HOSTS snmp-server host <snmp server 1> traps <password string> snmp-server host <snmp server 2> traps <password strings> ! ENSURE SNMP ORIGINATES FROM THE ROUTER LOOPBACK INTERFACE snmp-server trap-source loopback0 ! ENSURE ROUTER CORE DUMPS ARE SENT WHEN ROUTER CRASHES exception dump <management server ip> ! TIME SYNCHRONIZATION config t ! ENSURE NTP ORIGINATES FROM THE ROUTER LOOPBACK INTERFACE ntp source loopback 0 ! CONFIGURE PRIMARY AND SECONDARY NTP SERVERS ntp server <ntp server 1> pref ntp server <ntp server 2> ! THIS CONCLUDES CLIENT MODE NTP SYNC ! NETWORK MONITORING config t ! LOCKDOWN SNMP TO PARTICULAR SERVERS WITH A PASSWORD snmp-server community <password 1> RO <access-list 5> snmp-server community <password 2> RW <access-list 5> ! ROUTER SOFTWARE MAINTENANCE NO APPLICABLE CONFIGURATION ! ROUTER CONFIGURATION MANAGEMENT NO APPLICABLE CONFIGURATION

6.2

6.3

6.4 6.5

Appendix B Router Hardening Checklist


This is a final assessment of your own equipment before deployment into production. Note that this checklist is once again very Cisco oriented. Its really hard to generalize when youve predominantly used Cisco routers.

Section 2 Access Security


Login Banner configured on router. Access restrictions configured on Console, AUX, VTYs. Unused interfaces and AUX ports shut down or disabled. Password encryption in use, enable secret in use. Enable secret complies to 8+ letters, 2 numbers password standard. AAA and TACACS+ enabled for user authentication and auditing. SNMP, TACACS, and enable passwords difficult to guess, knowledge of it strictly limited.

Section 3 Router Network Services Security


Unneeded network TCP services disabled. Unneeded network UDP services disabled. Unneeded network IP services disabled. Necessary network services configured correctly (e.g. DNS)

Section 4 ACLs, Filtering and Rate Limiting


Access lists limit traffic to only allow management servers to connect to any interface or service hosted by the router. Some mechanism of providing QoS for management traffic has been deployed on the router. Either Black-hole or Sinkhole routing has been enabled to discard unused RFC1918 address blocks or bogon traffic. Some anti-spoofing mechanism is in place on the local network interfaces to ensure traffic in or out of the local interfaces is legitimate.

Section 5 Routing Protocols


Static routes have been configured on network perimeter routers routing traffic to trusted networks. No routing protocols have been configured to redistribute or update un-trusted networks. Routing protocols configured to use integrity mechanisms (peer unicast and authentication).

Section 6 Audit and Management


Logging enabled and Syslog hosts configured. Routers time of day maintained with NTP in client mode. Logging includes timestamp. Logs collected and archived on central server. SNMP enabled with good community strings and ACLs. Router software version is up and patched regularly. Router configuration is backed up daily to a secure, central server. Router configuration template is detailed and was used when configuring the router.

References and Contributions


The below contributing documents were used in the creation of this router hardening guide. Cisco SAFE Blueprint The SAFE Blueprint from Cisco is a flexible, dynamic blueprint for security and VPN networks, based on Cisco AVVID (Architecture for Voice, Video and Integrated Data), that enables businesses to securely and successfully

take advantage of e-business and compete in the Internet era. SAFE: Best Practices for Securing Routing Protocols NSA Router Security Configuration Guide Executive Summary Card Generic Security Requirements for Routing Protocols OSPF Security Route To Security Secure IOS Template Designing Network Security Managing Cisco Network Security Network Security Database OSSS Open Source Security Standards This document discusses the various threats against routing protocols used by Cisco. This is the executive summary, supplementing the official National Security Agencys Router Security Configuration Guide version 1.1 found here. An Internet Draft document submitted January 2005 by the Internet Engineering Task Force. A generic OSPF Security paper with examples on how to configure the Cisco OSPF routing protocol. A paper that outlines the generic industry-best-practices for securing network routers. Version 3.7 27 JAN 2005 created by Cymru Team and Rob Thomas. Book ISBN 1-57870-043-4, 1999 Cisco Press Publishing Book ISBN 1-57870-103-1, 2001 Cisco Publishing Ciscos countermeasure resource team that create IDS signatures Little cat Z is developing a suite of free to use open information security standards.