 Securing
Your Cisco Router
John Tiso
Historically, packet routers were designed to route all traffic
by default. To some extent, this has carried over into the default
configurations of modern packet routers. Most companies and organizations
utilize a router as a connecting gateway to the Internet. In their
default configuration, many routers are vulnerable to various security
issues especially Denial of Service (DOS). In this article, I will
cover configuration commands and filtering concepts to "harden"
the default configuration of a Cisco router. Many services can be
disabled or modified without changing router function. The base
Cisco IOS and Cisco's integrated firewall functions will be
discussed.
Placement of a Perimeter Router
The traditional enterprise connection to the Internet consists
of a wide area connection (WAN) from the organization's premises
to the Internet Service Provider's (ISP) point of presence
(POP) in the area. Routers terminate these WAN connections. Many
newly offered forms of connectivity -- cable (network access
over broadband media), DSL (Digital Subscriber Line, high-speed
networking over copper wire) -- terminate to the customer via
Ethernet (cable modem/router or DSL modem/router). A router can
be used at the Ethernet point to provide additional network services
such as NAT (Network Address Translation) or DHCP (Dynamic Host
Configuration Protocol). Many cable and DSL modems also have integrated
routing functions, and can terminate the ISP connection and provide
additional functions like NAT.
Figure 1 shows two images. The first image is the utilization
of a router to terminate a WAN connection from an ISP. This router
may be in front of one or more other routers, firewalls, or other
network devices. The second image shows a router between a Small
Office/Home Office (SOHO) network and a cable or DSL ISP connection.
Global Configuration Parameters
Cisco routers utilize two types of configuration parameters: global
and interface. Global parameters affect the whole router, and interface
parameters affect a specific network interface. In this section,
I will define a set of global commands found in most Cisco IOS versions
that can be used to increase security:
no ip source route -- IP Version 4 has the capability
to embed a route in a packet. This is known as source routing. Source
routing was never widely utilized and has been removed from the
next version of TCP/IP. Attackers use source routing to bypass the
routing tables of devices, thereby masking the traffic origin. This
command tells the router to ignore packets with this header set.
no service finger -- The finger process in the router
is similar to UNIX finger. finger provides potential
attackers with information they do not need. This command turns
off the finger process.
no service tcp-small-servers and no service udp-small-servers
-- This command has become the default in newer IOS versions.
Cisco devices support the IP "small" services echo,
chargen, and discard. They are easily exploitable
and not generally needed at your perimeter. They should be turned
off.
no cdp run -- CDP (Cisco Discovery Protocol) is a Cisco
proprietary layer 2 informational protocol. This command completely
turns CDP off in the router. CDP information is not required for
operation and can provide potential attackers with more information
than necessary. However, if your network uses CDP, there is an interface
command to turn it off on a per interface level.
no ntp enable -- NTP (Network Time Protocol) may not
be necessary on your perimeter router and should be disabled. NTP
traffic can still flow through the router. The router will not be
a source or destination of NTP traffic. However, if your network
uses NTP, there is an interface command to turn it off per interface
as well.
no ip domain-lookup -- This command turns off DNS lookups
in the router. DNS lookups are not necessary for normal router operation.
service password-encryption -- This command will encrypt
passwords stored on the local router. Provides a level of security
in case of security breech or password compromise.
enable secret <password> -- This provides an
encrypted privilege mode password, rather than plain text (enable
password command uses plain text).
banner motd {char} text {char} -- This command is similar
in concept to UNIX motd. The motd provides a banner
warning to attackers that the system is private. A typical banner
is provided in the sample router configuration. This command does
not provide actual security, but may provide legal support in a
security incident. If your company has a legal department, it is
advisable to let them write the banner.
ip tcp intercept mode intercept
access-list 102 permit tcp any 172.30.0.0 0.0.255.255
ip tcp intercept list 102
ip tcp intercept max-incomplete high 200
The TCP intercept feature implements software to protect TCP servers
from TCP SYN-flooding attacks, which are a type of DOS attack. The
access list (more on access lists ahead) defines servers/networks
that accept inbound TCP connections. The high 200 defines the
maximum half-open TCP connections per host. This command can be considerably
tuned, and should only be implemented with a good understanding of
the type of traffic and connections that are normal to your network.
Interface Configuration Parameters
As mentioned in the last section, these parameters are applied
directly to a network interface to change its function. Unless otherwise
noted, most of these commands should be implemented on the router
interface external to your network:
no ip redirects -- This command disables ICMP (Internet
Control Messaging Protocol) redirection. ICMP redirects are messages
from a router indicating a better network route. This could possibly
be used in a type of DOS attack.
no ip unreachables -- This command disables ICMP network
unreachable messages. ICMP network unreachable messages are messages
from a router indicating a destination is unreachable. This could
also possibly be used in a type of DOS attack.
no ip proxy-arp -- Proxy ARP (Address Resolution Protocol)
allows a router to answer ARP requests for a different network than
the attached network. Proxy ARP could be exploited, and this command
will disable it.
no ip mroute-cache -- This will turn off the Cisco
IOS multicast route cache. If multicast is not in use, the multicast
route cache is an unnecessary service.
ntp disable -- This command will disable NTP at an
interface level. This will allow NTP to be run in the router, but
be disabled externally.
no cdp enable -- This command will turn off CDP at
an interface level. This is useful if you want to run CDP on an
internal LAN.
no ip directed broadcast -- This command has become
the default in IOS Version 12 and later. It stops traffic directed
at a subnet or network broadcast address. Sending traffic to the
network broadcast is the premise of a DOS attack known as a "Smurf"
attack. It is a good idea to implement this on all your network
routers, unless you have a specific application need for directed
broadcasts.
mac-address 0050.04FE.7F9C -- This command changes
the interface's BIA (Burned In Address; MAC address) in software.
This is a small amount of security through obscurity. This command
overrides the MAC address of the interface. Since network hardware
manufacturers assign MAC addresses, changing this address can mask
the device type. This technique can be useful when you want to hide
the device type of your router. I took this MAC address from a PC
with a 3COM network adapter. Might be useful to confuse a potential
attacker, and can be especially useful if your DSL or cable provider
frowns on the use of routers on their network.
Access Lists
Access lists are at the core of configuring Cisco routers. Their
primary function is for packet filtering, but they are also used
in packet matching and other functions. The base access list type
is the standard access list. This access list type matches traffic
on a source network address only. Extended access lists improve
on this by matching source, destination, and protocol/port, as well
as SYN/ACK bits (established connections appear with SYN and ACK
set). A good idea to increase security is to filter on known weak
protocols, unnecessary/unknown protocols, and addresses known to
be invalid. The following examples show filtering on known multicast
addresses. The first example is a standard access list; the second
is an extended access list performing the same filtering (!
is a comment in Cisco IOS, similar to UNIX #).
Standard Access List
access-list 10 deny 224.0.0.0 31.255.255.255
! muticast addresses would not be expected. Deny these. 224.0.0.0
! is the start of the multicast and the 31.255.255.255 matches the
! rest of the multicast range
access-list 10 permit any
! each access list ends with an implied "deny any" so if this is
! not the desired results add permit any
Extended Access List
access-list 111 deny ip 224.0.0.0 31.255.255.255 any
! note here we need to specify the protocol. (ip means any ip
! protocol) and the destination of any
access-list 111 permit ip any any
The interface command ip access group <number> in would
apply these access lists. IOS allows only one filter per direction
(in or out). If you choose to filter using IP access lists, at a minimum
be sure to filter on the following:
- Source address belonging to private address range of RFC 1918.
- Invalid source address such as multicast.
- Source address from outside your network matching your internal
address.
Performing this minimum type of filtering can be useful even if
you have a firewall between your perimeter router and internal network.
More restrictive filters can be developed to allow traffic that
only meets your needs to operate your network. Packet filtering
can be a powerful security tool. However, packet filtering of this
nature is "stateless", which means that the router is
not aware of flows, connections, and return traffic. For instance,
if you develop traffic to allow only specific traffic out of your
network, the stateless nature of packet filtering requires you to
match return traffic. There are also connection types that a user
connects out, and the server initiates a connection back in (FTP
port mode, streaming media). This may require opening "high"
ports (greater than 1023) as well as looking at the TCP SYN and
ACK bits (easily forged).
Next-generation access lists are reflexive access lists and CBAC
(Context Based Access Control) access lists. These access list types
additionally match on higher layer protocol details and function.
Reflexive access lists are also called IP session filtering because
they build a dynamic return path based on session information. Reflexive
access lists are part of the base Cisco IOS feature set starting
in Version 12.0 of the IOS.
Reflexive List
ip access-list extended internet-out
! this is applied in the outbound direction, inspects the
! outbound traffic to build the state table
permit ip any any reflect dynamic-path
! "dynamic-path" is the access list with the return info
ip access-list extended internet-in
! this is applied in the inbound direction, can also contain
! non-dynamic openings; i.e. SMTP mail to 1.2.3.4
permit tcp any host 1.2.3.4 eq smtp
! open the temporary holes
evaluate dynamic-path
interface Serial 0/0
! apply your reflexive list to the outbound interface
description Access to the Internet via this interface
ip access-group internet-in in
ip access-group internet-out out
Reflexive lists allow all the flexibility of extended and standard
lists and overcome some of their weakness. One of the notable features
of reflexive lists is that they can allow outbound "ping"
(and other ICMP) and disallow inbound ICMP traffic. The previous example
allows all inside initiated traffic out (and its return traffic),
return traffic in, and SMTP mail connections inbound to 1.2.3.4. Reflexive
lists improve on standard and extended, but only provide filtering
at the session layer.
CBAC works at the application layer. It inspects traffic that
travels through the firewall to discover and manage state information
for TCP and UDP sessions. This state information is used to create
temporary openings in the firewall's access lists to allow
for return traffic as well as additional data connections for permissible
sessions. CBAC is part of the Cisco Secure Integrated Security (formerly
Firewall IOS). CBAC requires inspection parameters to be defined.
These are based on protocol type. There are specialized CBAC inspection
rules such as http, and generic ones for TCP, UDP, and IP fragmentation.
Generic access lists are applied to an interface, and CBAC manages
the connections. CBAC can only operate on TCP and UDP, so other
IP protocols and ICMP must be allowed via stateless filtering around
CBAC. The sample router configuration supplied utilizes CBAC access
lists.
Using Access Lists to Filter Inbound Communication to the Router
Access lists can be used by the IOS to filter incoming and outgoing
connections directed to the router. Two of these connection types
are telnet directed to the router and SNMP directed to the
router. An access list can be applied directly to the telnet
and snmp processes to restrict traffic.
Inbound telnet example:
access-list 10 permit 172.30.0.0 0.0.255.255
! define access list to permit inside access
line vty 0 4
! configure the virtual telnet terminals
access-class 10 in
! apply the access list to the inbound telnet process
SNMP example:
! apply access list 10 for SNMP access
snmp-server community my-community RW 10
Integrated IOS Intrusion Detection
CBAC is not the only component of the Cisco Secure Integrated Security
(CSIS) package. It also offers an intrusion detection system (IDS).
This IDS technology is taken from Cisco's dedicated IDS product
line (formerly called NetRanger). The IOS IDS utilizes a subset of
the dedicated IDS' attack signature profiles, using the most
common attacks seen. IDS inspects packets as they flow through the
router. This is a resource intensive process. Therefore, IDS is only
available on a subset of higher powered routers that run CSIS (2600,
3600, or 7x00 series routers). The inspection process of CBAC may
also impact network performance depending on amount and type of traffic.
IDS will also log to the router's logging buffer, but to use
and store this information externally requires either a CS IDS Director
or a UNIX syslog server. IDS should be monitored and tuned to ensure
it does not detect normal traffic as abnormal. The system-logging
buffer can be looked at by the show log command. The system-logging
buffer should be consulted when external logging is not available.
Depending on the available router resources and traffic flow, IDS
may not inspect all traffic. IDS in the router is not foolproof, but
it can provide an additional layer to your security perimeter. The
sample configuration uses IDS in a freestanding mode, logging into
the system buffer.
Commented Working Router Configuration
The working configuration provided in Listing 1 is currently used
on a home office router behind a cable modem terminating in Ethernet.
It is a Cisco 2621 router, running IOS Version 12.1(3)T (image:
C2600-JO3S56I-M). The Fast Ethernet 0/0 is the external interface.
It is plugged into a cable modem using an Ethernet crossover cable.
The Ethernet 0/1 is the internal interface. It is plugged into the
home office Ethernet switch. The external interface has its MAC
address set to a PC network card, and it obtains an address via
DHCP from the provider. The internal interface is running the DHCP
server service and provides address and configuration information
to the home office. A private address (RFC 1918) is used inside.
The router performs dynamic NAT using the outside interface as a
source address. CBAC and IDS are deployed to provide security. The
router also uses the "AAA" process (Accounting, Authorization,
and Authentication) to secure the console, auxiliary serial port,
and telnet. The "AAA" process is more secure than
defining passwords on each line, because it provides a uniform login
method.
Conclusion
With the wide acceptance of Internet firewalls, as well as the
ubiquity of high speed networking options for SOHO installations,
external perimeter security is often ignored. Cisco routers, one
of the most widely deployed routers, can be configured to significantly
increase network security.
References
Cisco Systems Documentation Homepage -- http://www.cisco.com/univercd/home/home.htm
Improving Security on Cisco Routers -- http://www.cisco.com/warp/public/707/21.html
Increasing Security on IP Networks -- http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
John Tiso is one of the founding employees of Networked Information
Systems, a Woburn, Massachusetts-based integrator of Cisco Systems
and Sun Microsystems. He has a BS degree from Adelphi University,
Garden City, NY. He is a Cisco Certified Internetwork Expert (CCIE
#5162) and also holds Sun Microsystems, Microsoft, and Novell certifications.
John also works part time as a technical editor and reviewer for
Cisco Press. He can be contacted at: johnt@jtiso.com.
| 
