Upload
shannon-owens
View
224
Download
2
Tags:
Embed Size (px)
Citation preview
Introduction
• Types of Routers • Unnecessary Services• Password Management• Interactive Access• IP Routing
Introduction
• Warning Banners• SNMP Security• Logging Requirements• General Requirements• Router Threat Management
Types of Routers
• Boundary or edge routers• Interior routers• Backbone routers• Aggregate routers or hub routers
Types of Routers
• Aggregate routers and hub routers are used to combine a large number of connections into a fewer number of high bandwidth connections.
Types of Routers
• A boundary or edge router refers to a router that sits between one or more networks that are of different security domains.
• These routers require a higher level of security.
Unnecessary Services
• These services can be disabled with the commands:
no service tcp-small-servers no service udp-small-servers
• Note: Small services are disabled by default in Cisco IOS 12.0 and later software.
Unnecessary Services
• The CDP protocol can be disabled with the global configuration command:
no cdp running
• CDP can be disabled on a particular interface with:
no cdp enable
Unnecessary Services
• HTTP access should disabled on the router, especially on a boundary/edge router.
Unnecessary Services
• Finger should be disabled on the router.
• The finger service can be disabled with the command:
no service finger
Unnecessary Services
• The RSH and RCP services must be restricted by IP address.
• If the services are not needed, they must be disabled.
Unnecessary Services
• These services can be disabled with the commands:
no ip rcmd rcp-enable
no ip rcmd rsh-enable
• Note: These commands are disabled by default in Cisco IOS 12.0 and later.
Password Management
• The service password encryption command should be enabled to provide minimum protection for configured passwords.
Password Management
• As a global default, use the command:
service password encryption
• Note: This command directs the IOS software to encrypt passwords, CHAP secrets, and similar data saved in its configuration file.
Password Management
• The enable secret command is used to set the password granting privileged administrative access to the IOS system.
Password Management
• All system installation, maintenance, and default passwords supplied by vendors must be changed.
• Passwords should follow the password complexity guidelines outlined in your company’s security policies.
Interactive Access
• tty console and auxiliary access should be controlled with both a user ID and password stored in a local file on the router.
• Note: All tty access should use either TACACS+ or a RADIUS server for authentication.
Interactive Access
• Reverse telnet sessions to console and auxiliary tty lines should be disabled.
• Disable reverse telnet sessions on tty lines by using the command:
transport input none
Interactive Access
• vty access to the router should be controlled by both a user ID and password when logging into the router.
• Note: All vty access should use either a TACACS+ or a RADIUS server for authentication.
Interactive Access
• vty lines should be configured to accept connections only from those protocols actually needed.
Interactive Access
• Use the transport input command to restrict the protocols accepted by the vty lines.
Interactive Access
• Access to at least one vty line should be restricted to an IP or IP range to protect against Denial of Service Attacks.
• The ip access-class command can be used to restrict the IP addresses.
Interactive Access
• Timeouts should be configured on all vty lines, based on your company’s timeout policy.
• Use the exec-timeout command to configure timeouts on vty lines.
IP Routing
• Routers should have IP source routing disabled.
• Disable IP source routing as a global default with the no ip source-route command.
IP Routing
• Use the no ip directed-broadcast command to prevent directed broadcasts that could “explode” into link-layer broadcasts.
• Note: directed broadcasts are disabled by
default in Cisco IOS 12.0 and later.
IP Routing
• Boundary/edge routers, in particular, should filter ICMP redirects.
• Use access lists to block ICMP redirects.
• Note: All boundary routers should block ICMP redirects to prevent Denial of Service attacks.
IP Routing
• If the router is Internet facing or a boundary/edge router, apply anti-spoofing access lists on all inbound Internet/external facing interfaces.
IP Routing
• Note: Anti-spoofing access lists should block: • Publicly owned internal address space• All RFC1918 private addresses• IP addresses with a source address of a
router interface • 127.0.0.0 (loopback)
Warning Banner
• Is the company’s warning banner displayed to anyone logging into the router?
• Note: Use the banner login command to configure the warning banner.
SNMP Security
• SNMP community strings should adhere to your company’s password complexity guidelines.
SNMP Security
• The read only community string should be different than the read/write community string.
• Note: If possible, periodic polling should be done on the read only community string.
SNMP Security
• The read/write community string should be reserved for write operations ONLY, while the read only community strings should be reserved for read access.
SNMP Security
• Access lists should be employed to restrict SNMP to the IP addresses of management stations only.
Logging Requirements
• System logging should be enabled and the information saved to both a local buffer and a syslog server.
Logging Requirements
• If using TACACS+ and/or RADIUS protocols, AAA logging should be enabled and saved to the RADIUS or TACACS+ Server.
Logging Requirements
• If router is using a real-time clock or is running NTP, all log entries should be time-stamped.
Logging Requirements
• To show time-stamps, use the command:
service timestamps log datetime localtime show-timezone
Logging Requirements
• All logging information should be retained for a minimum of 90 days, or for the time specified in your company’s policy.
Logging Requirements
• System logs must be protected from unauthorized access, and frequently reviewed for unusual or suspicious events.
General Requirements
• Establish a procedure to load appropriate IOS security patches, keeping the IOS level current.
General Requirements
• Physical access to the router and its components must be strictly controlled.
General Requirements
• Back-up and contingency processes for each router need to be documented and in place.
General Requirements
• There should be a method to receive and distribute vendor and other security advisories to the appropriate people in your company
Router Threat Management
• Threat Warning – Inform technology SME’s of a newly identified threat.
• Threat Plan – Provide specific remediation information to SMEs.
• Alert – Send urgent threat information and remediation plans to all System Administrators.
Router Threat Management
• Critical T-0: Immediate risk. Patching must begin immediately.
• Critical T-7: Testing and installation of patches is expected on all impacted systems within 7 days.
• Important T-30: Patches expected to be tested and installed within 30 days.
• Informational: General awareness threat issue.