Using Cisco SDM and CLI Tools to Lock Down the Router
Cisco routers come with services enabled on them by default that make them great routers, but not necessarily great security devices. The reasons for these default services are various, but generally speaking, they are there more for historical reasons than anything else and would not likely be the defaults were these devices to be given a rethink in the context of current security knowledge. In this section, we quickly summarize some of these default services, their security risk in the context of the router’s responsibilities as a perimeter defense device, and (more importantly) what to do about it. As we will see, the router has a number of CLI and SDM tools that can first audit and secondly secure these vulnerabilities.
Router Services and Interface Vulnerabilities
The following is a list of general recommendations for router services and interfaces that are vulnerable to network attacks. They can be grouped into seven categories, as follows:
- Disable unnecessary services and interfaces.
- Disable commonly configured management services.
- Ensure path integrity.
- Disable probes and scans.
- Ensure terminal access security.
- Disable gratuitous and proxy ARP.
- Disable IP directed broadcasts.
Table 4.3 outlines Cisco’s recommendations for disabling vulnerable router services and interfaces.
A detailed explanation of the vulnerabilities presented by these features will not be attempted. What follows is a quick summary of the services and their respective vulnerabilities as well as security recommendations.
Disable Unnecessary Services and Interfaces
The following are Cisco’s recommendations for disabling unnecessary services and interfaces:
- Router Interfaces. Disabling unused router interfaces will limit unauthorized access to both the router and the network. Recommendation: Disable unused open router interfaces.
- Bootstrap Protocol (BOOTP). This service is enabled by default. It
allows other devices to obtain IP addresses and other configuration information automatically. Recommendation: This service is rarely needed and should be disabled.
- Cisco Discovery Protocol. Enabled by default. This protocol allows the router to discover information about directly connected neighbor Cisco devices.
Recommendation: This service is not required once a network has been constructed and tested. Disable.
- Configuration Autoloading. Disabled by default. It allows the autoloading of configuration files from a network server.
Recommendation: Disable unless needed.
- FTP Server. Disabled by default. Allows the router to act as an FTP server and serve files from flash memory to FTP clients.
Recommendation: Disable unless needed.
- TFTP Server. Disabled by default. Allows the router to act as a TFTP server and serve files from flash memory to TFTP clients.
Recommendation: Disable unless needed
- Network Time Protocol (NTP) Service. This protocol was discussed in the last section, as were recommendations for its use.
Recommendation: Disable unless needed.
- TCP and UDP Minor Services. These services are disabled by default in Cisco IOS Software Release 11.3 and later. They are small daemons that have a diagnostic purpose but are rarely needed.
Recommendation: Disable this service explicitly.
- Maintenance Operation Protocol (MOP) Service. Enabled by default on most Ethernet interfaces. It is a legacy Digital Electronic Corporation (DEC) maintenance protocol.
Recommendation: Disable this service explicitly when it is not in use.
Disable and Restrict Commonly Configured Management Services
The following are Cisco’s recommendations for disabling and restricting commonly configured management services:
- Simple Network Management Protocol (SNMP). Enabled by default. This protocol’s vulnerabilities (SNMP versions 1 and 2) were discussed in a previous section in this chapter. Recommendation: Disable this service when it is not required.
- HTTP or HTTPS Configuration and Monitoring. Default operation is device-dependent. Used for monitoring and configuring the device using a web browser and/or Cisco SDM.
Recommendation: Disable if not in use or restrict access using ACLs.
- Domain Name System (DNS). Enabled by default. Also by default, the DNS client broadcasts its request to destination IP address 255.255.255.255. This makes it vulnerable to spoofed responses, possibly leading to session-hijacking.
Recommendation: Disable if not required. If it is required, set the DNS lookup service with the unicast address of specific DNS servers.
Ensure Path Integrity
The following are Cisco’s recommendations for ensuring path integrity. Path integrity ensures that the path that data packets take through the network is not somehow redirected or otherwise compromised by an exploit:
- Internet Control Message Protocol (ICMP) redirects. Enabled by default. When a router receives an ICMP redirect on an interface, it is required to resend the packet out the same interface that it was received. If this is an Internet-facing interface, an attacker could use the resent information to redirect packets to an untrusted device, a classic session hijacking exploit.
Recommendation: Disable this service if it is not required.
- IP source routing. Enabled on interfaces by default. Routing is normally destination-based, but a IP host can indicate which path it would prefer to take through a network by specifying IP source-routing options in the IP packet header. Routers would be forced to honor this path. This can be exploited by an attacker as a carefully crafted attack that would take the attacker’s choice of path through an unprotected network rather than the best path indicated in the routing table.
Recommendation: Disable this service on all interfaces unless it is required.
Disable Probes and Scans
The following are Cisco’s recommendations for disabling probes and scans of the network and the router itself:
- Finger Service. Enabled by default. Finger service allows a reconnaissance of the router to determine a list of users currently using a particular device, among other information.
Recommendation: Disable this service if it is not required.
- ICMP Unreachable Notifications. Enabled by default. This service notifies users of unreachable IP hosts and networks. It can be used during a reconnaissance attack to map out a network’s topology because if the attacker doesn’t receive an ICMP unreachable notification in reply to an ICMP request, they can infer that the network is reachable.
Recommendation: An attacker can infer all they want! Turn off ICMP unreachable notifications on all interfaces facing untrusted networks unless they are required.
- ICMP Mask Reply. Disabled by default. Same general vulnerabilities as ICMP unreachables.
Recommendation: Turn off ICMP mask replies on all interfaces facing untrusted networks unless they are required.
Ensure Terminal Access Security
The following are Cisco’s recommendations for ensuring terminal access security. These recommendations will mitigate the possibility that an attacker can identify the device and launch certain DoS attacks against the device itself:
- IP Identification (IDENT) Service. Enabled by default. Useful in reconnaissance attacks. When TCP port 113 is probed, the identity of the device is obtained.
Recommendation: Disable explicitly.
- TCP Keepalives. Disabled by default. This service is a reaper service that polls TCP sessions to see if they are still active. If a response isn’t received, the connection is closed, thereby freeing up resources on the router and preventing certain DoS attacks.
Recommendation: Should be enabled globally.
Disable Gratuitous and Proxy Address Resolution Protocol (ARP)
The following are Cisco’s recommendations for disabling gratuitous and proxy address resolution protocol (ARP) messages.
- Gratuitous ARP (GARP). Enabled by default. It is commonly used in ARP poisoning attacks. It is gratuitous in that they are ARP replies that don’t match ARP requests. The intent is to fool IP hosts to cache these replies in their ARP tables so that the host will send packets to the attacker versus the legitimate hosts whose IP addresses and MAC addresses the attacker has spoofed. Recommendation: Should be disabled on each interface unless it is needed.
- Proxy ARP. Enabled by default. This service allows the router to reply to an ARP request by proxy with its own MAC address where an IP address resolves to a remote segment.
Recommendation: Should be disabled unless the router is acting as a layer 2 LAN bridge.
Disable IP Directed-broadcasts
This service is disabled by default in Cisco IOS Release 12.0 and later. IP directedbroadcasts are used in smurf and other related DoS attacks.
Recommendation: This service should be disabled if not required.
Performing a Security Audit
Now that we have identified the specific vulnerabilities that may be present on the router, we will perform a security audit of the router using the Cisco SDM, as well as some CLI tools.
The Cisco SDM Security Audit, shown in Figure 4.9, is based on the Cisco IOS AutoSecure feature (also accessible by the CLI, as we will see later), which is an automated, interactive script that checks for vulnerabilities and recommends how they might be remediated. As we will see, the Cisco SDM Security Audit has almost all the feature of the Cisco AutoSecure functions.
The Security Audit Wizard can be reached by choosing Configure->Security Audit from the Cisco SDM homepage. There are two modes of operation, as indicated in Figure 4.9:
- Security Audit Wizard. Once vulnerabilities are discovered, the wizard gives you a choice as to which vulnerabilities you want to secure. Press the Perform security audit button if you want this.
- One-Step Lockdown. This configures the router with a set of defined security features with recommended settings in one step and without further user interaction. Press the One-step lockdown button if you want this.
FIGURE 4.9 The Cisco SDM Security Audit homepage.
Cisco SDM Security Audit Wizard
In the last section, we identified the specific vulnerabilities that may be present on the router. Now we will use the Cisco SDM Security Audit Wizard to determine whether they are present and give us the option to remedy them. To perform a security audit, follow these steps from the Cisco SDM homepage:
- Choose Configure->Security Audit.NOTE
The figures in this series of steps are based on a Cisco 800 Series ISR whose inside inter face is Vlan1 and whose outside interface is FastEthernet4.
- Click the Perform Security Audit button. The Welcome Page of the Security Audit Wizard appears.
- Click Next to bring up the Security Audit Interface Configuration page as shown in Figure 4.10.
- Before the audit proceeds, the Security Audit Wizard needs to know which interfaces connect to the outside and which interfaces connect to the inside. Beside each interface listed, check the Inside or Outside check box. (This makes sense because some of the vulnerabilities listed previously depend on whether the interface is connected to a hostile network or not.)
- Click Next.The Security Audit report window appears, which runs an audit, finishing with an itemized report detailing the number, item name, and status of the potential vulnerabilities, as shown in Figure 4.11. A check mark will appear if the item has passed. An X will appear if the item has not passed.
FIGURE 4.11 Security Audit report window.
- If you want to save the report to a file, click Save Report.
- To continue with fixing the identified security issues, click Close.
- The Security Audit Wizard window appears, as shown in Figure 4.12. If you want to fix the security problems identified, you can either check the Fix it check box in the Action column beside each identified security problem you want to fix, or you can click the Fix All button, which checks all the boxes for you.
FIGURE 4.12 Security Audit Wizard window.If you want to undo security problems that have been identified as “Passed” in the Security Audit report window (refer to Step 5), you can choose Undo Security configurations in the Select an option dropdown list at the top of the Security Audit window. The resulting Security Audit Wizard window will allow you to check off Undo in the Action column beside each enabled security configuration you want to undo.NOTE
Interestingly, each security problem identified is a hyperlink that, if selected, will pop up a description of the problem from the SDM’s built-in context-sensitive help feature. This will help the administrator decide on a course of action for that specific vulnerability.
- Click Next.
- Depending on which security vulnerabilities you have chosen to fix, you might be asked to enter more information on the subsequent screens. Enter the required information and click Next as indicated until you arrive at the Summary screen.
- Click Finish to deliver the changes to the router.
Cisco SDM One-Step Lockdown
The Cisco one-step lockdown feature can be executed using either the Cisco SDM or the CLI command, auto secure. Complete the following steps to perform a one-step lockdown using the Cisco SDM, starting at the SDM homepage:
- Choose Configure->Security Audit->One-step lockdown.
- An SDM Warning dialog appears, as shown in Figure 4.13. Click Yes if you are sure you want to lock down the router. A one-step lockdown window appears with a check mark beside all the items that will be fixed.
FIGURE 4.13 Cisco SDM one-step lockdown.
- Click Deliver to deliver the configuration changes to the router.
- Click OK to exit back to the Security Audit window.
Using the Cisco AutoSecure Feature to Lock Down a Router
Cisco AutoSecure is a feature that is initiated from the CLI and executes a script, which first makes recommendations for fixing security vulnerabilities, and then modifies the security configuration of the router. The syntax of the command is as follows: auto secure [ no-interact] It can be executed in either of two modes:
- Interactive Mode. Prompts the user with recommendations for enabling and disabling specific services. This is the default mode. Use the auto-secure command with no options.
- Non-Interactive Mode. Automatically executes the Cisco AutoSecure command with Cisco’s recommended default settings. Use the auto secure no-interact form of the command.
Here is what the opening dialog looks like. This example is using the interactive mode:
—- AutoSecure Configuration —-
***AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
At any prompt you may enter ‘?’ for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp&tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Configure NTP Authentication? [yes]: no
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 1 20
At the end of the AutoSecure interactive dialog, the recommended runningconfig with the changes to be applied is displayed. You are then asked: Apply this configuration to running-config? [yes]: yes
Once applied to the running-config, if you lose connectivity to the router or something stops working, you can always reboot the router because the changes will not have been saved to the startup-config. This sounds strange, but many security texts recommend this procedure. Essentially if you don’t know what a service does, turn it off. If something important stops working as a result, you now know what it does. Locking down a network device, despite the excellent features such as AutoSecure, is often a trial-and-error approach. You should consider testing these changes in a lab environment first, and only make changes on a production network when you are absolutely sure of what you are doing.
Caveats: Cisco AutoSecure Versus Cisco SDM Security Audit
There are some notable limitations and differences between Cisco AutoSecure and the Cisco SDM Security Audit:
- Cisco SDM does not implement the following Cisco AutoSecure features:
- Disabling NTP
- Configuring AAA
- Setting SPD values
- Enabling TCP intercepts
- Configuring anti-spoofing ACLs on outside-facing interfaces
- Cisco SDM implements some Cisco AutoSecure features differently:
- SNMP is disabled but will not configure SNMPv3 (varies with router).
- SSH is enabled and configured with Cisco IOS images that support this feature.
- Curiously, Secure Copy Protocol (SCP) is not enabled and unsecure FTP is.