Cisco AutosecureOctober 24, 2009
Cisco always attempts to make our lives easier, or at least sometimes.
When you setup your last CE router, did you make sure all the necessary security measure were setup? Is it protected against DOS attacks, stack or buffer overflows? Aare you logging the correct info in case someone tries to access your network?
Cisco, quite some time ago, wrote a macro command combining what they believe to be the necessary and recommended features that should be enabled on every CE router.
There are two main parts of this command:
- Securing the Forwarding Plane
- Securing the Management Plane
Just because this command could make your life easier, you should understand each action that is executed, or else you might disable or break a needed function.
Securing the Forwarding Plane
- CEF is enabled if not already enabled.
- TCP intercept feature is enabled if available.
- Strict uRPF, is enabled on internet facing interfaces – urpf discards IP packets that lack a verifiable IP source address.
- Prompted if you want to enable CBAC
Securing the Management Plane
Global Services that are Disabled:
- Finger – Provides Information about device.
- PAD – legacy use.
- TCP/UDP small servers – diagnostic port attacks could cause crash.
- Bootp Server – not commonly used.
- HTTP Server – rarely implemented.
- Identification Service – Protocol allowing ports to be queried.
- CDP – large amount of CDP packets could cause a crash.
- NTP – can be used by an attacker to send NTP packets to crash.
- Source Routing – used only for debugging purposes.
Global Services that are Enabled:
- #service password-encryption – simple encryption for config passwords.
- #service tcp-keepalives-in/out – Ensures that abnormally terminated TCP sessions are removed.
Per-Interface Services that are disabled:
- ICMP redirects – Not needed on correctly functioning networks.
- ICMP unreachables – Commonly used for DOS-attack.
- ICMP mask reply messages – Prevents router from responding with subnet mask.
- Proxy-Arp – are a known cause for DoS attacks, due to resource allocation.
- Directed Broadcast – Could be used for SMURF attacks.
- MOP service – provides direct access to lower layers for control functions.
Secure Access to the Router:
- Add a Banner – Recommended to use simple text banner with limited info.
- #transport input/output – Telnet and SSH are the only valid transport methods.
- #exec-timeout – On the Console and AUX port set to 10 Minutes.
- SNMP is disabled.
- Local username and password are configured.
- If using a crypto image – timeout & authentication-retries set for SSH.
- Sequence numbers and time stamps for all debug and log messages.
- Cisco IOS Login Enhancements is enabled.
- Logging console critical is enabled.
- Logging buffered is enabled and set recommended severity
- Logging trap debugging is enabled
The command syntax:
auto secure [management | forwarding] [no-interact | full]
- management – Only secure Management plane options
- forwarding – Only secure the forwarding plane options
You can see all the config that was applied with this command
show auto secure config