Cover V10, I07
Figure 1


Securing Your Cisco Router

John Tiso

Historically, packet routers were designed to route all traffic by default. To some extent, this has carried over into the default configurations of modern packet routers. Most companies and organizations utilize a router as a connecting gateway to the Internet. In their default configuration, many routers are vulnerable to various security issues especially Denial of Service (DOS). In this article, I will cover configuration commands and filtering concepts to "harden" the default configuration of a Cisco router. Many services can be disabled or modified without changing router function. The base Cisco IOS and Cisco's integrated firewall functions will be discussed.

Placement of a Perimeter Router

The traditional enterprise connection to the Internet consists of a wide area connection (WAN) from the organization's premises to the Internet Service Provider's (ISP) point of presence (POP) in the area. Routers terminate these WAN connections. Many newly offered forms of connectivity -- cable (network access over broadband media), DSL (Digital Subscriber Line, high-speed networking over copper wire) -- terminate to the customer via Ethernet (cable modem/router or DSL modem/router). A router can be used at the Ethernet point to provide additional network services such as NAT (Network Address Translation) or DHCP (Dynamic Host Configuration Protocol). Many cable and DSL modems also have integrated routing functions, and can terminate the ISP connection and provide additional functions like NAT.

Figure 1 shows two images. The first image is the utilization of a router to terminate a WAN connection from an ISP. This router may be in front of one or more other routers, firewalls, or other network devices. The second image shows a router between a Small Office/Home Office (SOHO) network and a cable or DSL ISP connection.

Global Configuration Parameters

Cisco routers utilize two types of configuration parameters: global and interface. Global parameters affect the whole router, and interface parameters affect a specific network interface. In this section, I will define a set of global commands found in most Cisco IOS versions that can be used to increase security:

no ip source route -- IP Version 4 has the capability to embed a route in a packet. This is known as source routing. Source routing was never widely utilized and has been removed from the next version of TCP/IP. Attackers use source routing to bypass the routing tables of devices, thereby masking the traffic origin. This command tells the router to ignore packets with this header set.

no service finger -- The finger process in the router is similar to UNIX finger. finger provides potential attackers with information they do not need. This command turns off the finger process.

no service tcp-small-servers and no service udp-small-servers -- This command has become the default in newer IOS versions. Cisco devices support the IP "small" services echo, chargen, and discard. They are easily exploitable and not generally needed at your perimeter. They should be turned off.

no cdp run -- CDP (Cisco Discovery Protocol) is a Cisco proprietary layer 2 informational protocol. This command completely turns CDP off in the router. CDP information is not required for operation and can provide potential attackers with more information than necessary. However, if your network uses CDP, there is an interface command to turn it off on a per interface level.

no ntp enable -- NTP (Network Time Protocol) may not be necessary on your perimeter router and should be disabled. NTP traffic can still flow through the router. The router will not be a source or destination of NTP traffic. However, if your network uses NTP, there is an interface command to turn it off per interface as well.

no ip domain-lookup -- This command turns off DNS lookups in the router. DNS lookups are not necessary for normal router operation.

service password-encryption -- This command will encrypt passwords stored on the local router. Provides a level of security in case of security breech or password compromise.

enable secret <password> -- This provides an encrypted privilege mode password, rather than plain text (enable password command uses plain text).

banner motd {char} text {char} -- This command is similar in concept to UNIX motd. The motd provides a banner warning to attackers that the system is private. A typical banner is provided in the sample router configuration. This command does not provide actual security, but may provide legal support in a security incident. If your company has a legal department, it is advisable to let them write the banner.

ip tcp intercept mode intercept
access-list 102 permit tcp any
ip tcp intercept list 102
ip tcp intercept max-incomplete high 200
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks, which are a type of DOS attack. The access list (more on access lists ahead) defines servers/networks that accept inbound TCP connections. The high 200 defines the maximum half-open TCP connections per host. This command can be considerably tuned, and should only be implemented with a good understanding of the type of traffic and connections that are normal to your network.

Interface Configuration Parameters

As mentioned in the last section, these parameters are applied directly to a network interface to change its function. Unless otherwise noted, most of these commands should be implemented on the router interface external to your network:

no ip redirects -- This command disables ICMP (Internet Control Messaging Protocol) redirection. ICMP redirects are messages from a router indicating a better network route. This could possibly be used in a type of DOS attack.

no ip unreachables -- This command disables ICMP network unreachable messages. ICMP network unreachable messages are messages from a router indicating a destination is unreachable. This could also possibly be used in a type of DOS attack.

no ip proxy-arp -- Proxy ARP (Address Resolution Protocol) allows a router to answer ARP requests for a different network than the attached network. Proxy ARP could be exploited, and this command will disable it.

no ip mroute-cache -- This will turn off the Cisco IOS multicast route cache. If multicast is not in use, the multicast route cache is an unnecessary service.

ntp disable -- This command will disable NTP at an interface level. This will allow NTP to be run in the router, but be disabled externally.

no cdp enable -- This command will turn off CDP at an interface level. This is useful if you want to run CDP on an internal LAN.

no ip directed broadcast -- This command has become the default in IOS Version 12 and later. It stops traffic directed at a subnet or network broadcast address. Sending traffic to the network broadcast is the premise of a DOS attack known as a "Smurf" attack. It is a good idea to implement this on all your network routers, unless you have a specific application need for directed broadcasts.

mac-address 0050.04FE.7F9C -- This command changes the interface's BIA (Burned In Address; MAC address) in software. This is a small amount of security through obscurity. This command overrides the MAC address of the interface. Since network hardware manufacturers assign MAC addresses, changing this address can mask the device type. This technique can be useful when you want to hide the device type of your router. I took this MAC address from a PC with a 3COM network adapter. Might be useful to confuse a potential attacker, and can be especially useful if your DSL or cable provider frowns on the use of routers on their network.

Access Lists

Access lists are at the core of configuring Cisco routers. Their primary function is for packet filtering, but they are also used in packet matching and other functions. The base access list type is the standard access list. This access list type matches traffic on a source network address only. Extended access lists improve on this by matching source, destination, and protocol/port, as well as SYN/ACK bits (established connections appear with SYN and ACK set). A good idea to increase security is to filter on known weak protocols, unnecessary/unknown protocols, and addresses known to be invalid. The following examples show filtering on known multicast addresses. The first example is a standard access list; the second is an extended access list performing the same filtering (! is a comment in Cisco IOS, similar to UNIX #).

Standard Access List

access-list 10 deny
! muticast addresses would not be expected. Deny these.
! is the start of the multicast and the matches the
! rest of the multicast range
access-list 10 permit any
! each access list ends with an implied "deny any" so if this is
! not the desired results add  permit any
Extended Access List

access-list 111 deny   ip any
! note here we need to specify the protocol. (ip means any ip 
! protocol) and the destination of any
access-list 111 permit ip any any
The interface command ip access group <number> in would apply these access lists. IOS allows only one filter per direction (in or out). If you choose to filter using IP access lists, at a minimum be sure to filter on the following:

  • Source address belonging to private address range of RFC 1918.
  • Invalid source address such as multicast.
  • Source address from outside your network matching your internal address.

Performing this minimum type of filtering can be useful even if you have a firewall between your perimeter router and internal network. More restrictive filters can be developed to allow traffic that only meets your needs to operate your network. Packet filtering can be a powerful security tool. However, packet filtering of this nature is "stateless", which means that the router is not aware of flows, connections, and return traffic. For instance, if you develop traffic to allow only specific traffic out of your network, the stateless nature of packet filtering requires you to match return traffic. There are also connection types that a user connects out, and the server initiates a connection back in (FTP port mode, streaming media). This may require opening "high" ports (greater than 1023) as well as looking at the TCP SYN and ACK bits (easily forged).

Next-generation access lists are reflexive access lists and CBAC (Context Based Access Control) access lists. These access list types additionally match on higher layer protocol details and function. Reflexive access lists are also called IP session filtering because they build a dynamic return path based on session information. Reflexive access lists are part of the base Cisco IOS feature set starting in Version 12.0 of the IOS.

Reflexive List

ip access-list extended internet-out
! this is applied in the outbound direction,  inspects the
! outbound traffic to build the state table
 permit ip any any reflect dynamic-path
! "dynamic-path" is the access list with the return info

 ip access-list extended internet-in
! this is applied in the inbound direction, can also contain
! non-dynamic openings; i.e. SMTP mail to
permit tcp any host eq smtp
! open the temporary holes
evaluate dynamic-path 

interface Serial 0/0
! apply your reflexive list to the outbound interface
description Access to the Internet via this interface
 ip access-group internet-in in
 ip access-group internet-out out
Reflexive lists allow all the flexibility of extended and standard lists and overcome some of their weakness. One of the notable features of reflexive lists is that they can allow outbound "ping" (and other ICMP) and disallow inbound ICMP traffic. The previous example allows all inside initiated traffic out (and its return traffic), return traffic in, and SMTP mail connections inbound to Reflexive lists improve on standard and extended, but only provide filtering at the session layer.

CBAC works at the application layer. It inspects traffic that travels through the firewall to discover and manage state information for TCP and UDP sessions. This state information is used to create temporary openings in the firewall's access lists to allow for return traffic as well as additional data connections for permissible sessions. CBAC is part of the Cisco Secure Integrated Security (formerly Firewall IOS). CBAC requires inspection parameters to be defined. These are based on protocol type. There are specialized CBAC inspection rules such as http, and generic ones for TCP, UDP, and IP fragmentation. Generic access lists are applied to an interface, and CBAC manages the connections. CBAC can only operate on TCP and UDP, so other IP protocols and ICMP must be allowed via stateless filtering around CBAC. The sample router configuration supplied utilizes CBAC access lists.

Using Access Lists to Filter Inbound Communication to the Router

Access lists can be used by the IOS to filter incoming and outgoing connections directed to the router. Two of these connection types are telnet directed to the router and SNMP directed to the router. An access list can be applied directly to the telnet and snmp processes to restrict traffic.

Inbound telnet example:

access-list 10 permit
! define access list to permit inside access
line vty 0 4
! configure the virtual telnet terminals
access-class 10 in
! apply the access list to the inbound telnet process
SNMP example:

! apply access list 10 for SNMP access
snmp-server community my-community RW 10
Integrated IOS Intrusion Detection
CBAC is not the only component of the Cisco Secure Integrated Security (CSIS) package. It also offers an intrusion detection system (IDS). This IDS technology is taken from Cisco's dedicated IDS product line (formerly called NetRanger). The IOS IDS utilizes a subset of the dedicated IDS' attack signature profiles, using the most common attacks seen. IDS inspects packets as they flow through the router. This is a resource intensive process. Therefore, IDS is only available on a subset of higher powered routers that run CSIS (2600, 3600, or 7x00 series routers). The inspection process of CBAC may also impact network performance depending on amount and type of traffic. IDS will also log to the router's logging buffer, but to use and store this information externally requires either a CS IDS Director or a UNIX syslog server. IDS should be monitored and tuned to ensure it does not detect normal traffic as abnormal. The system-logging buffer can be looked at by the show log command. The system-logging buffer should be consulted when external logging is not available. Depending on the available router resources and traffic flow, IDS may not inspect all traffic. IDS in the router is not foolproof, but it can provide an additional layer to your security perimeter. The sample configuration uses IDS in a freestanding mode, logging into the system buffer.

Commented Working Router Configuration

The working configuration provided in Listing 1 is currently used on a home office router behind a cable modem terminating in Ethernet. It is a Cisco 2621 router, running IOS Version 12.1(3)T (image: C2600-JO3S56I-M). The Fast Ethernet 0/0 is the external interface. It is plugged into a cable modem using an Ethernet crossover cable. The Ethernet 0/1 is the internal interface. It is plugged into the home office Ethernet switch. The external interface has its MAC address set to a PC network card, and it obtains an address via DHCP from the provider. The internal interface is running the DHCP server service and provides address and configuration information to the home office. A private address (RFC 1918) is used inside. The router performs dynamic NAT using the outside interface as a source address. CBAC and IDS are deployed to provide security. The router also uses the "AAA" process (Accounting, Authorization, and Authentication) to secure the console, auxiliary serial port, and telnet. The "AAA" process is more secure than defining passwords on each line, because it provides a uniform login method.


With the wide acceptance of Internet firewalls, as well as the ubiquity of high speed networking options for SOHO installations, external perimeter security is often ignored. Cisco routers, one of the most widely deployed routers, can be configured to significantly increase network security.


Cisco Systems Documentation Homepage --

Improving Security on Cisco Routers --

Increasing Security on IP Networks --

John Tiso is one of the founding employees of Networked Information Systems, a Woburn, Massachusetts-based integrator of Cisco Systems and Sun Microsystems. He has a BS degree from Adelphi University, Garden City, NY. He is a Cisco Certified Internetwork Expert (CCIE #5162) and also holds Sun Microsystems, Microsoft, and Novell certifications. John also works part time as a technical editor and reviewer for Cisco Press. He can be contacted at: