0% found this document useful (0 votes)

217 views

(Ebook) - Computers - Networking - Security - Gov - SNACs Router Security Guide

This document is only a guide to recommended security settings for IP routers. It is not meant to replace well-designed policy or sound judgment. This document is current as of September, 2001.

Uploaded by

Ngo Tuan Anh

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

217 views

(Ebook) - Computers - Networking - Security - Gov - SNACs Router Security Guide

This document is only a guide to recommended security settings for IP routers. It is not meant to replace well-designed policy or sound judgment. This document is current as of September, 2001.

Uploaded by

Ngo Tuan Anh

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 248

UNCLASSIFIED

Report Number: C4-054R-00

Router Security Configuration Guide

Principles and guidance for secure configuration of IP routers, with detailed instructions for Cisco Systems routers

Router Security Guidance Activity of the System and Network Attack Center (SNAC)

Authors: Vanessa Antoine Patricia Bosmajian Daniel Duesterhaus Michael Dransfield Brian Eppinger James Houser Andrew Kim Phyllis Lee David Opitz Michael Wiacek Mark Wilson Neal Ziring

Updated: November 21, 2001 Version: 1.0j

National Security Agency 9800 Savage Rd. Suite 6704 Ft. Meade, MD 20755-6704 [email protected]

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Warnings
This document is only a guide to recommended security settings for Internet Protocol (IP) routers, particularly routers running Cisco Systems Internet Operating System (IOS) versions 11 and 12. It is not meant to replace well-designed policy or sound judgment. This guide does not address site-specific configuration issues. Care must be taken when implementing the security steps specified in this guide. Ensure that all security steps and procedures chosen from this guide are thoroughly tested and reviewed prior to imposing them on an operational network. This document is current as of September, 2001.

Acknowledgements
The authors would like to acknowledge Daniel Duesterhaus, author of the original NSA Cisco Router Security Configuration Guide, and the management and staff of the Applications and Architectures division for their patience and assistance with the development of this guide. Special thanks also go to Ray Bongiorni for his quality assurance and editorial work. Additional contributors to the development effort include Andrew Dorsett, Jennifer Dorrin, Charles Hall, Scott McKay, and Jeffrey Thomas.

Trademark Information
Cisco, IOS, and CiscoSecure are registered trademarks of Cisco Systems, Inc. in the U.S.A. and other countries. Windows 2000 is a registered trademark of Microsoft Corporation in the US.A. and other countries. All other names are trademarks or registered trademarks of their respective companies.

Revision History
1.0 1.0b 1.0d 1.0e 1.0f 1.0g 1.0h Sep 2000 Oct 2000 Dec 2000 Jan 2001 Mar 2001 Apr 2001 Aug 2001 First complete draft, extensive internal review. Revised after review by Ray Bongiorni Revised after additional testing, submitted for classification and pre-publication review. Polished format, cover page, fixed up grammar, etc. First release version. Second release version: fixed typos and errors, added references, passed second pre-pub review Third release version: incorporated external feedback, fixed typos. Fourth release version: incorporated more external feedback, added SSH section, fixed more typos, updated some links. Another QA review. Fifth release version; more external feedback, added some tools and polished some procedures.

1.0j

Nov 2001

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Contents

Contents
Preface 1. Introduction
1.1. 1.2. 1.3. 1.4.

5 7

The Roles of Routers in Modern Networks..................................................................... 7 Motivations for Providing Router Security Guidance ..................................................... 9 Typographic and Diagrammatic Conventions Used in this Guide ................................ 10 Structural Overview ...................................................................................................... 12

2. Background and Review

2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7.

Review of TCP/IP Networking...................................................................................... 15 TCP/IP and the OSI Model............................................................................................ 17 Review of IP Routing and IP Architectures .................................................................. 19 Basic Router Functional Architecture ........................................................................... 22 Review of Router-Relevant Protocols and Layers......................................................... 25 Quick Review of Attacks on Routers......................................................................... 27 References ..................................................................................................................... 28

3. Router Security Principles and Goals

3.1. 3.2. 3.3. 3.4. 3.5.

Protecting the Router Itself............................................................................................ 31 Protecting the Network with the Router ........................................................................ 32 Managing the Router ..................................................................................................... 36 Security Policy for Routers ........................................................................................... 38 References ..................................................................................................................... 43

4. Implementing Security on Cisco Routers

4.1. 4.2. 4.3. 4.4. 4.5. 4.6. 4.7.

Router Access Security.................................................................................................. 46 Router Network Service Security .................................................................................. 60 Access Lists and Filtering ............................................................................................. 72 Routing and Routing Protocols...................................................................................... 85 Audit and Management ............................................................................................... 106 Security for Router Network Access Services............................................................. 141 Collected References ................................................................................................... 161

5. Advanced Security Services

5.1. 5.2. 5.3. 5.4. 5.5.

163

Role of the Router in Inter-Network Security ............................................................. 163 IP Network Security .................................................................................................... 164 Using a Cisco Router as a Firewall ............................................................................. 186 Using SSH for Remote Administration Security......................................................... 195 References ................................................................................................................... 200

6. Testing and Security Validation

6.1. 6.2. 6.3.

203

Principles for Router Security Testing ........................................................................ 203 Testing Tools............................................................................................................... 203 Testing and Security Analysis Techniques.................................................................. 204

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

6.4.

References ................................................................................................................... 211

7. Future Issues in Router Security

7.1. 7.2. 7.3. 7.4. 7.5. 7.6. 7.7.

213

Routing and Switching ................................................................................................ 213 ATM and IP Routing ................................................................................................... 215 IPSec and Dynamic Virtual Private Networks............................................................. 216 Tunneling Protocols and Virtual Network Applications.............................................. 217 IP Quality of Service and RSVP.................................................................................. 218 Secure DNS ................................................................................................................. 219 References ................................................................................................................... 220

8. Appendices
8.1. 8.2. 8.3. 8.4.

223

Top Ways to Quickly Improve the Security of a Cisco Router ................................... 223 Application to Ethernet Switches and Related Non-Router Network Hardware ......... 229 Overview of Cisco IOS Versions and Releases........................................................... 232 Glossary of Router Security-related Terms ................................................................. 238

9. Additional Resources
9.1. 9.2. 9.3.

243

Bibliography ................................................................................................................ 243 Web Site References.................................................................................................... 245 Tool References........................................................................................................... 247

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Preface

Preface
Routers direct and control much of the data flowing across computer networks. This guide provides technical guidance intended to help network administrators and security officers improve the security of their networks. Using the information presented here, you can configure your routers to control access, resist attacks, shield other network components, and even protect the integrity and confidentiality of network traffic. This guide was developed in response to numerous questions and requests for assistance received by the NSA System and Network Attack Center (SNAC). The topics covered in the guide were selected on the basis of customer interest, and the SNACs background in securing networks. The goal for this guide is a simple one: improve the security provided by routers on US Department of Defense (DoD) operational networks.

Who Should Use This Guide

Network administrators and network security officers are the primary audience for this configuration guide, throughout the text the familiar pronoun you is used for guidance directed specifically to them. Most network administrators are responsible for managing the connections within their networks, and between their network and various other networks. Network security officers are usually responsible for selecting and deploying the assurance measures applied to their networks. For this audience, this guide provides security goals and guidance, along with specific examples of configuring Cisco routers to meet those goals. Firewall administrators are another intended audience for this guide. Often, firewalls are employed in conjunction with filtering routers; the overall perimeter security of an enclave benefits when the configurations of the firewall and router are complementary. While this guide does not discuss general firewall topics in any depth, it does provide information that firewall administrators need to configure their routers to actively support their perimeter security policies. Section 5 includes information on using the firewall features of the Cisco Integrated Security facility. Information System Security Engineers (ISSEs) may also find this guide useful. Using it, an ISSE can gain greater familiarity with security services that routers can provide, and use that knowledge to incorporate routers more effectively into the secure network configurations that they design. Sections 4, 5, and 6 of this guide are designed for use with routers made by Cisco Systems, and running Ciscos IOS software. The descriptions and examples in those sections were written with the assumption that the reader is familiar with basic Cisco router operations and command syntax.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Feedback
This guide was created by a team of individuals in the System and Network Attack Center (SNAC), which is part of the NSA Information Assurance Directorate. The editor was Neal Ziring. Comments and feedback about this guide may be directed to the SNAC (Attn: Neal Ziring), Suite 6704, National Security Agency, Ft. Meade, MD, 20755-6704, or via e-mail to [email protected].

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Introduction

1. Introduction
1.1. The Roles of Routers in Modern Networks
On a very small computer network, it is feasible to use simple broadcast or sequential mechanisms for moving data from point to point. An Ethernet local area network (LAN) is essentially a broadcast network. In larger, more complex computer networks, data must be directed specifically to the intended destination. Routers direct network data messages, or packets, based on internal addresses and tables of routes, or known destinations that serve certain addresses. Directing data between portions of a network is the primary purpose of a router. Most large computer networks use the TCP/IP protocol suite. See Section 2.3 for a quick review of TCP/IP and IP addressing. Figure 1-1, below, illustrates the primary function of a router in a small IP network.
LAN 1 190.20.2.0
User Host 190.20.2.12

Router 1

Wide Area Network

LAN 2 14.2.6.0

Router 2

LAN 3 14.2.9.0
File Server 14.2.9.10

Figure 1-1 A Simple Network with Two Routers

If the user host (top left) needs to send a message to the file server (bottom right), it simply creates a packet with address 14.2.9.10, and sends the packet over LAN 1 to its gateway, Router 1. Consulting its internal routing table, Router 1 forwards the packet to Router 2. Consulting its own routing table, Router 2 sends the packet over LAN 3 to the File Server. In practice, the operation of any large network depends on the routing tables in all of its constituent routers. Without robust routing, most modern networks cannot function. Therefore, the security of routers and their configuration settings is vital to network operation.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

In addition to directing packets, a router may be responsible for filtering traffic, allowing some data packets to pass and rejecting others. Filtering is a very important responsibility for routers; it allows them to protect computers and other network components from illegitimate or hostile traffic. For more information, consult Sections 3, 4, and 6.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Introduction

1.2. Motivations for Providing Router Security Guidance

Routers provide services that are essential to the correct, secure operation of the networks they serve. Compromise of a router can lead to various security problems on the network served by that router, or even other networks with which that router communicates. ! Compromise of a routers routing tables can result in reduced performance, denial of network communication services, and exposure of sensitive data. ! Compromise of a routers access control can result in exposure of network configuration details or denial of service, and can facilitate attacks against other network components. ! A poor router filtering configuration can reduce the overall security of an entire enclave, expose internal network components to scans and attacks, and make it easier for attackers to avoid detection. ! On the other hand, proper use of router cryptographic security features can help protect sensitive data, ensure data integrity, and facilitate secure cooperation between independent enclaves. In general, well-configured secure routers can greatly improve the overall security posture of a network. Security policy enforced at a router is difficult for negligent or malicious end-users to circumvent, thus avoiding a very serious potential source of security problems. There are substantial security resources available from router vendors. For example, Cisco offers extensive on-line documentation and printed books about the security features supported by their products. These books and papers are valuable, but they are not sufficient. Most vendor-supplied router security documents are focused on documenting all of the security features offered by the router, and do not always supply security rationale for selecting and applying those features. This guide attempts to provide security rationale and concrete security direction, with pertinent references at the end of each section identifying the most useful vendor documentation. This guide also provides pointers to related books, vendor documents, standards, and available software.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

1.3. Typographic and Diagrammatic Conventions Used in this Guide

To help make this guide more practical, most of the sections include extensive instructions and examples. The following typographic conventions are used as part of presenting the examples. ! Specific router and host commands are identified in the text using Courier bold typeface: to list the current routing table, use the command show ip route. Command arguments are shown in Courier italics: syntax for a simple IP access list rule is access-list number permit host address. ! Sequences of commands to be used in a configuration are shown separately from the text, using Courier typeface. The exclamation point begins a comment line, usually a remark about the line that follows it.
! set the log host IP address and buffer size logging 14.2.9.6 logging buffered 16000

! Transcripts of router sessions are shown separately from the text, using Courier typeface. Input in the transcript is distinguished from output, user input and comments are shown in Courier bold typeface. Elision of long output is denoted by two dots. In some cases, output that would be too wide to fit on the page is shown with some white space removed, to make it narrower.
Central> enable Password: Central# ! list interfaces in concise format Central# show ip interface brief Interface IP Address OK? Method Ethernet 0/0 14.2.15.250 YES NVRAM Ethernet 0/1 14.2.9.250 YES Manual . . Central# exit

! IP addresses will be shown in the text and in diagrams as A.B.C.D, or as A.B.C.D/N, where N is the number of set bits in the IP netmask. For example, 14.2.9.150/24 has a netmask of 255.255.255.0. (In general, this classless netmask notation will be used where a netmask is relevant. Otherwise, the bare address will be used.) ! Cisco IOS accepts the shortest unique, unambiguous abbreviation for any command or keyword. For commands that are typed very frequently, this guide uses the abbreviations commonly employed in the Cisco documentation and literature. For example, the interface name ethernet is commonly abbreviated eth and the command configure terminal is commonly abbreviated config t.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Introduction

Discussions of network structure and security frequently depend on network diagrams. This guide uses the following set of icons in all of its diagrams. This icon represents a router. Each line connected to a router icon represents a network interface on that router. Each router is presumed to have an administrative console line connection, which is not shown.

Router2

Computers on the network are represented with one of these two icons.
Workstation

Router Security Configuration Guide

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Background and Review

2. Background and Review

This section reviews some background information about TCP/IP networking, router hardware architecture, router software architecture, and network security. In order to keep this section brief, it glosses over a lot of issues. To compensate for that briefness, the reference list at the end of the section includes a long list of other useful sources of background information. Readers with a good grasp of network and router fundamentals may want to skip this section, but since it is relatively brief, why not humor the author and read on.

2.1. Review of TCP/IP Networking

As mentioned in Section 1.1, on a small computer network, it is feasible to use simple broadcast or sequential (token) mechanisms for moving data from point to point. A local area network is composed of a relatively small number of hosts connected over a relatively small physical area. Relatively small is the important phrase here. To give some meaning to the term relatively, consider that a 10BaseT Ethernet (10 megabit per second using twisted pair cabling) has a usual maximum of 1024 stations over a maximum cable distance of 2500 meters. For instance a typical office LAN, using 100BaseT Ethernet, might have 100 computers (and printers) attached to a switch or set of hubs. An Ethernet local area network (LAN) is essentially a (logical) bus based broadcast network; though the physical implementation may use hubs (with a physical star topology). As one would expect, broadcast LANs must deal with collisions; either by preventing them or detecting them and taking appropriate action. Token based LANs avoid collisions by only allowing one host at time to transmit (the host that currently has the token may transmit). Standards that relate to LANs are primarily the IEEE 802.x series. For instance, 802.3 is the Media Access Control (MAC) standard for CSMA/CD (the Ethernet standard); while 802.5 is the MAC standard for Token Ring. Just above the MAC level is the Logical Link Control (802.2) standard and above that it the High Level Interface (802.1) standard. Within a LAN, addressing is done with a MAC address. Between LANs using TCP/IP addressing is done using IP addresses. If you are lost at this point, keep reading because much of this will be explained below. If you are still lost at the end of Section 2, then consider reading parts of some of the books and/or web pages listed at the end of the section.

2.1.1. Purpose of a Router

In larger, more complex computer networks, data must be directed more carefully. In almost all cases, large networks are actually composed of a collection of LANs that are interconnected or internetworked. This is where routers come in. Routers take

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

network data messages from a LAN and convert them into packets suitable for transmission beyond the LAN on a wide area network (WAN). The goal is almost always to get these packets to another LAN and ultimately to the correct host on that LAN. Part of the conversion process is to add a packet header. Other routers will generally only look at a packets header information, not at the contents or data in the packet. Routers also make decisions about where to send these packets, based on: the addresses contained within the packet headers and a table of routes maintained within the router. Updating these routing tables and forwarding data packets between portions of a network are one of the primary purposes of a router. Building packets and unwrapping packets are additional router functions performed by the first and last routers, respectively, that a message passes through. In addition to directing packets, a router may be responsible for filtering traffic, allowing some packets to pass through and rejecting others. Filtering can be a very important function of routers; it allows them to help protect computers and other network components. For more information about filtering, see Section 3 and Section 4. It is also possible that at the destination end a router may have to break large packets up to accommodate the size limits of the destination LAN. There is no reason that routers cannot be used to send messages between hosts (as shown in Figure 1-1) but more typically routers are used to connect LANs to each other or to connect a LAN to a WAN. Most large computer networks use the TCP/IP protocol suite. In some sense this is the lingua franca of the Internet. See Section 2.2 for a quick review of TCP/IP and IP addressing.

2.1.2. Routing Tables

As mentioned, one of tasks of a router is to maintain routing tables which are used to decide where a packet is to go and thus which interface it should be sent out. In the past these tables were built and updated by hand and this is referred to as static routing. In dynamic routing, the router learns about where various addresses are relative to itself and builds up routing tables based on this information. There are a number of schemes or routing protocols for routers to acquire and share routing table information. While a thorough treatment of the details is beyond the scope of this document, there is a brief discussion of routing protocols is in Section 4.4.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Background and Review

2.2. TCP/IP and the OSI Model

2.2.1. Origin of TCP/IP
The Transmission Control Protocol (TCP) and Internet Protocol (IP) comprise what is often seen written as TCP/IP. The Defense Advanced Research Projects Agency (DARPA) originated TCP/IP. Note that the word Defense has been deleted and added back over time. ARPA and DARPA are one and the same organization. The National Science Foundation (NSF) also contributed to the foundation of the Internet by taking the DARPA technology and making it available to universities. As stated above, the Internet essentially runs on TCP/IP protocols. The definitive source for information on TCP/IP are the RFCs, or Request for Comments issued by the Internet Engineering Task Force as described in Section 2.7.3. Note that in addition to TCP/IP there are other protocols such as Novells IPX (Internetwork Packet eXchange) that can be used with routers. Also, some routers can be used to translate between different protocols running on either side of themselves.

2.2.2. The OSI Model

After TCP/IP was well-established and other networking protocols, such as DECnet and Novells IPX were operational, the International Standardization Organization (ISO) developed the Open Systems Interconnection (OSI) seven layer reference model. These seven layers are described in almost every reference, so in the interest of space they are merely enumerated here. Layer 7: Application Layer deals with services such as email and file transfer. Layer 6: Presentation Layer deals with formatting, encryption, and compression of data. Layer 5: Session Layer deals with setup and management of sessions between applications. Layer 4: Transport Layer deals with end to end error recovery and delivery of complete messages. Layer 3: Network Layer deals with transmission of packets and establishing connections. Layer 2: Data Link Layer deals with transmission of packets on one given physical link. Layer 1: Physical Layer deals with transmission of a bit stream and definition of physical link. Since the development of TCP/IP preceded the ISO OSI seven layer model, the mapping of TCP and IP to the seven layer model is only an approximation. See Figure 2-1, Network Layers and Standards, for a visual mapping of TCP/IP to the

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

OSI model. A collection of various compatible protocol layers is referred to as a stack.

Layer 7 6 5 4 3 2 1 ISO/OSI Model IEEE Standards TCP/IP Model

Application Presentation Session Transport Network Data Link Physical

802.1 802.2 802.3
(Ethernet)

Application

Transport Network Logical Link Control Media Access Control Physical

TCP or UDP IP Data link

Figure 2-1: Network Layers and Standards

Routing occurs at layer three, the Network Layer. To fully understand routing it is useful to appreciate some of what goes on beneath it at the Data Link Layer, and some of this is discussed in the following sections. However, the Physical Layer is at a level of detail well below the concerns of this document. It is concerned with the transmission of an unstructured bit stream over a physical link. This involves such details as signal voltage and duration; or optical signaling details for fiber. It also covers the mechanical aspects of connectors and cables. It may also cover some low level error control.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Background and Review

2.3. Review of IP Routing and IP Architectures

If one is dealing only with a local area network (LAN), there is generally no need for routing, routers, TCP/IP, or IP addresses. Within a LAN everything will be handled by Media Access Control (MAC) addresses and by a LAN protocol such as Ethernet. At this level, most protocols are defined by Institute of Electrical and Electronics (IEEE) standards. For instance, IEEE 802.3 is the Ethernet (CSMA/CD) standard, 802.4 is token bus, and 802.5 is token ring. Above the MAC standards, but still within the OSI Data Link Layer, is the IEEE 802.2 Logical Link Control standard. The IEEE 802.1 High Level Interface standard corresponds to part of the OSI Network Layer. If this seems confusing, do not worry about it; its not essential to an understanding of routers. What is important to keep in mind is that MAC addresses are used within a LAN. Each device on the LAN will have a something like a network interface card (NIC) which has a unique MAC address. For example, on an Ethernet LAN each device has an appropriate Ethernet card, say 100BaseT. The MAC address is appended to the front of the data before it is placed on the LAN. Each device on the LAN listens for packets with its address. Once a message is destined to leave one LAN bound for a trip across a wide area network (WAN) to another LAN, it must use an IP address. While one can envision logical connections at various layers in a protocol stack, in reality bits can only move from one device to another at the Physical Layer. Thus, data begins at an application relatively high up in a protocol stack and works its way down the stack to the physical layer. At this point it is transferred to another device and works its way up the protocol stack at that point. How far up the stack it goes depends on whether that device is the ultimate recipient of the data or merely an intermediate device. Figure 2-2 illustrates this process. Note that the data may pass through many intermediate devices on its way from the sending host to the ultimate recipient.
Sending Host
Intermediate Network Infrastructure Devices

Receiving Host

Router 1

Router n

...
Figure 2-2: Moving Data through Protocol Stacks

On the way down the stack, each layer adds a relevant header to the packet. The header is named for the protocol layer that adds it. Each new header is added in front of all higher layer headers. At the network layer, the IP header added will contain the

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

destination IP address (in addition to other information). At the data link layer, also sometimes called the Media Access layer, a new header that contains a MAC address will be added in front of the IP header. On the way up the stack, a header will be removed at each layer. Figure 2-3 should help you visualize how headers are added.

Application Layer View

Application Data

Application Byte Stream

Transport Layer View

2.3.2. IP Addresses
Currently, IP addresses are 32 bits long. They are used by layer three devices such as routers. Unlike MAC addresses, IP addresses are hierarchical. There are four classes of IP addresses, referred to as: Class A, Class B, Class C, and Class D. In addition there a number of special addresses. Special addresses are used for such things as to broadcast to all hosts on a network or to specify a loopback packet which will never leave the host. The class determines how much of the 32 bit address is used to specify the network address and how much is used to specify the host within that network. The class is determined by the first one to four bits of the address. Any address beginning with a zero bit is a Class A address. Any address

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Background and Review

beginning with bits 10 is a Class B address. Any address beginning with bits 110 is Class C, and any beginning with bits 1110 is class D. For any class, it is also possible to take the host portion of the address and further divide that range into two fields, which specify a subnet address and a host address respectively. This is done by specifying a parameter called a subnet mask. For a fuller discussion of subnetting see Albrittons book [1] or one of the other references listed in Section 2.7.1. There are also a set of IP addresses that are reserved for experimental or private networks; these addresses should not be used on the Internet or other wide-area networks (see Section 4.3). In addition to both source and destination addresses, there is a good bit of information in an IP header. It should be noted that the first 4 bits of an IP header contain a version number so new versions of the protocol can be implemented. Moreover the second 4 bits specify the length of the header. Thus it is quite feasible to introduce longer IP addresses. For a detailed explanation of TCP/IP packet header formats, see Stevens book [10].

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

2.4. Basic Router Functional Architecture

2.4.1. Why Have a Special Purpose Router?
What are some of the motivations for using a dedicated, purpose-built router rather than a general purpose machine with a standard operating system (OS)? What justifies this expense, and what justifies the bother of learning yet another system? The answer, in part, concerns performance: a special purpose router can have much higher performance than a general purpose computer with routing functionality tacked onto it. Also, one can potentially add more network connections to a machine designed for that purpose, because it can be designed to support more interface card slots. Thus, a special purpose device will probably be a lower cost solution for a given level of functionality. But there are also a number of security benefits to a special purpose router; in general, consolidating network routing and related functions on a dedicated devices restricts access and limits the exposure of those critical functions. For one thing, a specialized router operating system (like Ciscos Internetwork Operating System or IOS) can be smaller, better understood, and more thoroughly tested than a general purpose OS. (Note that for brevity, the term IOS will be used in this document to refer the routers operating system and associated software, but hardware other than Cisco would run similar software.) This means that it is potentially less vulnerable. Also, the mere fact that it is different means that an attacker has one more thing to learn, and that known vulnerabilities in other systems are of no help to the router attacker. Finally, specialized routing software enables a fuller and more robust implementation of filtering. Filtering is useful as a firewall technique, and can also be used to partition networks and prohibit or restrict access to certain networks or services. Using filtering, some routing protocols can prohibit the advertisement of routes to neighbors, thus helping protect certain parts of the network.

2.4.2. Description of Typical Router Hardware

A router is essentially just another computer. So, similar to any other computer, it has a central processor unit (CPU), various kinds of memory, and connections to other devices. Generally, a router does not have a hard disk, floppy drive, or CD-ROM drive. CPU speed and memory size are important considerations for both performance and capabilities (e.g. some Cisco IOS features require more than the default amount of memory, and sophisticated security services usually require substantial computation). There are typically a number of types of memory in a router possibly including: RAM, NVRAM, Flash, and ROM (PROM, EEPROM). These are listed roughly in order of volatility. The mix of types and the amount of each type are determined on the basis of: volatility, ease of reprogramming, cost, access speed, and other factors. ROM is used to store a routers bootstrap software. Non-volatile RAM (NVRAM) is used to store the startup configuration that the IOS reads when the router boots. Flash

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Background and Review

memory stores the IOS (or other router OS), and if there is enough flash it may store more than one version of IOS. Figure 2-4 shows a simple representation of a notional routers hardware structure.

Network 0

Network 1

...

Network n

Interface 0

Interface 1

...

Interface n

Routing Fabric

CPU
Configuration

Router
Console

Figure 2-4: A Notional Routers Hardware

Interfaces provide the physical connections from a router to networks. Interface types include Ethernet, fast Ethernet, token ring, FDDI, low-speed serial, fast serial, HSSI, ISDN BRI, etc. Each interface is named and numbered. Interface cards fit into slots in a router, and an external cable of the appropriate type is connected to the card. In addition to a number of interfaces, almost all routers have a console port providing an asynchronous serial connection (RS-232). Also, most routers have an auxiliary port, which is frequently used for connecting a modem for router management. [These hardware ports should not be confused with the concept of network protocol port numbers, such as the well known port numbers associated with particular protocols and services, such as TCP port 23 being used for Telnet.]

2.4.3. Description of Typical Router Software

Similar to any other computer, a router will run a control program or operating system (OS). Each router vendor supplies their own router OS. In the case of Cisco routers, they run Ciscos Internetwork Operating System (IOS). It is the IOS that interprets the Access Control List (ACL) and other commands to the router. The startup or backup configuration is stored in NVRAM. It is executed when the router boots. As part of the boot process a copy of this configuration is loaded into RAM. Changes made to a running configuration are usually made only in RAM and

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

generally take effect immediately. If changes to a configuration are written to the startup configuration, then they will also take effect on reboot. Changes made only to the running configuration will be lost upon reboot. An operational router will have a large number of processes executing to support the services and protocols that the router must support. All routers support a variety of commands that display information about what processes are running and what resources, such as CPU time and memory, they are consuming. Unneeded services and facilities should be disabled to avoid wasting CPU and memory resources. Each router should have a unique name to identify it, and each interface should have a unique network address associated with it. Also, basic security settings should be established on any router before it is connected to an operational network. These kinds of considerations are discussed in more detail later in this guide.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Background and Review

2.5. Review of Router-Relevant Protocols and Layers

The following sections are not inclusive of all protocols that might be of interest but are representative. For more details see Section 4.4, Routing and Routing Protocols. The protocols are grouped according the OSI layer to which they correspond.

2.5.1. Physical Layer 1

As previously discussed, the physical layer is defined by IEEE standards or similar standards that define what are primarily physical and electrical characteristics.

2.5.2. Data Link Layer 2

The IEEE and other standards that apply at this layer have also been discussed previously.

2.5.3. Network Layer 3

IP the Internet Protocol (IP) provides a specification for packet formatting and an unreliable, connectionless, best effort delivery of those packets. ARP Hosts use the Address Resolution Protocol (ARP) to acquire the MAC address of other hosts.

2.5.4. Transport Layer 4

TCP the Transmission Control Protocol (TCP) is a connection-oriented, reliable protocol. Before transmitting data a connection must be established and after data transmission is complete the connection must be closed. UDP the User Datagram Protocol (UDP) is a connectionless, best effort protocol with no guarantee of delivery or confirmation of delivery. It has lower overhead than TCP. When we speak of TCP/IP we are usually implicitly including UDP. ICMP the Internet Control Message Protocol (ICMP) provides the mechanisms for hosts and routers to report network conditions and errors to other hosts and routers. (For example, the ping command relies on ICMP.) OSPF Open Shortest Path First is a relatively complex, fast-converging routing protocol. It is an interior gateway protocol that uses a link state routing algorithm and requires that a hierarchy of areas be designed. An area is a logical collection of routers and networks. RIP Routing Information Protocol is a dynamic routing protocol that allows routers to share network information with each other. It is a distance vector protocol that

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

allows routers to only share information with their nearest neighbors. It is used as an interior gateway protocol.

2.5.5. Session Layer 5, Presentation Layer 6, and Application Layer 7

These protocols are labeled (TCP) or (UDP) depending on which layer 5 protocol they are based upon. Telnet (TCP) Enables terminal oriented processes to communicate. FTP File Transfer Protocol (TCP) enables transfers of files between hosts. SMTP Simple Mail Transport Protocol (TCP) is pretty much self-explanatory. DNS Domain Name System (both TCP and UDP) performs naming resolution service by translating host names into IP addresses and vice versa. TFTP Trivial File Transfer Protocol (UDP) provides file transfers without any authentication or security. SNMP Simple Network Management Protocol (UDP) enables a management station to trap certain information messages from network devices.

[10] Stevens, W.R., TCP/IP Illustrated Volume 1, The Protocols, Prentice-Hall, 1994. For really deep, technical, bit-by-bit analysis of the TCP/IP protocols, this book is the best source. [11] Cisco IOS 12.0 Configuration Fundamentals, Cisco Press, 1999. This book provides a valuable reference for all the basic operation and configuration features, with a great deal of background information, too.

2.7.2. Papers
[12] Internetworking Technology Overview, Cisco Systems, 1999. Available at:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/

[13] OSI Layer 3, Cisco Systems Brochure, Cisco Systems, 1997. Available at: http://www.cisco.com/warp/public/535/2.html [14] TCP/IP, Cisco Product Overview, Cisco Systems, 1997. Available at: http://www.cisco.com/warp/public/535/4.html

2.7.3. RFCs
RFC stands for Request for Comments. As the official documents of the Internet Engineering Task Force, these are the definitive sources for information about the protocols and architecture of the Internet. As standards documents, they are not always easy to read. All RFCs may be downloaded from http://www.ietf.org/rfc.html . [15] Postel, J., User Datagram Protocol (UDP), RFC 768, 1980. [16] Postel, J., Internet Protocol (IP), RFC 791, 1981. [17] Postel, J., Transmission Control Protocol (TCP), RFC 793, 1981. [18] Postel, J. and Braden, R., Requirements for Internet Gateways, RFC 1009, 1987. [19] Socolofsky, T. and Kale, C., A TCP/IP Tutorial, RFC 1180, 1991. [20] Malkin, G. and Parker T.L., Internet Users Glossary, RFC 1392, 1993.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Router Security Principles and Goals

3. Router Security Principles and Goals

Routers can play a role in securing networks. This section describes general principles for protecting a router itself, protecting a network with a router, and managing a router securely.

3.1. Protecting the Router Itself

3.1.1. Physical Security
There are a number of ways to provide physical security for a router. The room that contains the router should be free of electrostatic or magnetic interference. It should have controls for temperature and humidity. If deemed necessary for availability or criticality reasons, an uninterrupted power supply (UPS) should be installed and spare components and parts kept on hand. To aid in protecting against some denial of service attacks, and to allow it to support the widest range of security services, the router should be configured with the maximum amount of memory possible.* Also, the router should be placed in a locked room with access by only a small number of authorized personnel. Finally, physical devices (e.g., PC cards, modems) used to connect to the router require storage protection.

3.1.2.

Operating System
The operating system for the router is a crucial component. Decide what features the network needs, and use the feature list to select the version of the operating system. However, the very latest version of any operating system tends not to be the most reliable due to its limited exposure in a wide range of network environments. One should use the latest stable release of the operating system that meets the feature requirements. Section 3.3.2 discusses the management of updates to the operating system, and Sections 4 and 8 include information on Ciscos IOS operating system.

3.1.3.

Configuration Hardening
A router is similar to many computers in that it has many services enabled by default. Many of these services are unnecessary and may be used by an attacker for information gathering or for exploitation. All unnecessary services should be disabled in the router configuration. Section 3.3.2 discusses the management of updates to the router configuration.

Some readers might balk at this recommendation; you might feel that memory costs money and therefore a router should be purchased with the minimum amount of memory it needs to supports its task. This is a false savings. The incremental cost of extra memory is usually small compared to the total cost of a fully configured router, and the added performance and flexibility that the extra memory will provide is almost always worthwhile when amortized over the number of users and services that depend on the router for connectivity. Also, adding memory to an operational router requires taking that router out of service. In the Internet Service Provider community, for example, it is considered an industry best practice to equip every operational router with as much memory as it can hold.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

3.2. Protecting the Network with the Router

3.2.1. Roles in Perimeter Security and Security Policy
A router provides a capability to help secure the perimeter of a protected network. It can do this by itself. The diagram at right shows a typical topology with the router being the component that connects the protected network to the Internet.

Internet

Router

Local Network

A router can also be used as part of defense-in-depth approach as shown in the diagram below. It acts as the first line of defense and is known as a screening router. It contains a static route that passes all connections intended for the protected network to the firewall. The firewall provides additional access control over the content of the connections. It can also perform user authentication. This approach is recommended over using only a router because it offers more security.

Internet

Router
Firewall

Protected Network

Figure 3-1: Typical One-router Internet Connection Configuration

Another approach is to position one router at the connection between the local premises and the Internet, and then another router between the firewall and the protected network. This configuration offers two points at which policy can be enforced. It also offers an intermediate area, often called the de-militarized zone (DMZ) between the two routers. The DMZ is often used for servers that must be accessible from the Internet or other external network.

Internet

Router
Premises or Gateway router

Router
Firewall
Internal or Local net router

Protected Network

Sometimes, it is not possible to follow the strict security guideline discussed above. In that case, fall back to prohibiting services that are commonly not needed, or are known to be popular vehicles for security compromise. The following two tables present common services to restrict because they can be used to gather information about the protected network or they have weaknesses that can be exploited against the protected network. The first table lists those services that should be completely blocked at the router. Unless you have a specific operational need to support them, the protocols listed in Table 3-1 should not be allowed across the router in either direction.
Table 3-1: Services to Block Completely at the Router

Port (Transport) 1 (TCP & UDP) 7 (TCP & UDP) 9 (TCP & UDP) 11 (TCP) 13 (TCP & UDP) 15 (TCP) 19 (TCP & UDP) 37 (TCP & UDP) 43 (TCP) 67 (UDP) 69 (UDP) 93 (TCP) 111 (TCP & UDP) 135 (TCP & UDP) 137 (TCP & UDP) 138 (TCP & UDP) 139 (TCP & UDP) 177 (UDP)

Service tcpmux echo discard systat daytime netstat chargen time whois bootp tftp supdup sunrpc loc-srv netbios-ns netbios-dgm netbios-ssn xdmcp

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Router Security Principles and Goals

Port (Transport) 445 (TCP) 512 (TCP) 515 (TCP) 517 (UDP) 518 (UDP) 540 (TCP) 1900, 5000 (TCP & UDP) 2049 (UDP) 6000 - 6063 (TCP) 6667 (TCP) 12345 (TCP) 12346 (TCP) 31337 (TCP & UDP)

Service netbios (ds) rexec lpr talk ntalk uucp Microsoft UPnP SSDP nfs X Window System irc NetBus NetBus Back Orifice

Table 3-2 lists those services on the protected network or on the router itself that should not be accessible by external clients.
Table 3-2: Some Services to Block at the Router from External Clients

Port (Transport) 79 (TCP) 161 (TCP & UDP) 162 (TCP & UDP) 513 (TCP) 513 (UDP) 514 (TCP) 514 (UDP) 550 (TCP & UDP)

Service finger snmp snmp trap rlogin who rsh, rcp, rdist, rdump syslog new who

Router filters should also be used to protect against IP address spoofing. In most cases filtering rules should apply both ingress and egress filtering, including blocking reserved addresses.

Standard Ports and Protocols

Some organizations maintain a list of standard ports and protocols that should be allowed or supported on their networks. Various organization in the DOD maintain such lists, and the Defense Information System Agency (DISA) is attempting to manage the creation of a standard list for the entire DoD. For networks that are subject to such lists, it is best to take the first approach, allowing only those ports and protocols mandated by the standard list, and rejecting all others.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

3.3. Managing the Router

3.3.1. Access Mechanisms for Administrators
Determining access to the routers by administrators is an important issue. There are two types of access: local and remote. Local access usually involves a direct connection to a console port on the router with a dumb terminal or a laptop computer. Remote access typically involves allowing telnet or SNMP connections to the router from some computer on the same subnet or a different subnet. It is recommended to only allow local access because during remote access all telnet passwords or SNMP community strings are sent in the clear to the router. If an attacker can collect network traffic during remote access then he can capture passwords or community strings. However, there are some options if remote access is required. 1. Establish a dedicated management network. The management network should include only identified administration hosts and a spare interface on each router. Figure 3-3 shows an example of this.
LAN 1

Internet

Router
Firewall

Router
LAN 2

Management LAN

Administration Host

Logging Host

Figure 3-3: Using a Management LAN for Administration

2. Another method is to encrypt all traffic between the administrators computer and the router. In either case a packet filter can be configured to only allow the identified administration hosts access to the router. (Section 5.2 shows an example of setting up IPSec encryption with a Cisco router and Windows 2000, Section 5.4 shows how to set up a Cisco router to support SSH encryption.) In addition to how administrators access the router, there may be a need to have more than one level of administrator, or more than one administrative role. Define clearly the capabilities of each level or role in the router security policy. For example, one role might be network manager, and administrators authorized to assume that role may be able to view and modify the configuration settings and interface parameters. Another role might be operators, administrators authorized to assume that role might be authorized only to clear connections and counters. In general, it is best to keep the number of fully privileged administrators to a minimum.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Router Security Principles and Goals

3.3.2. Updating the Router

Periodically the router will require updates to be loaded for either the operating system or the configuration file. These updates are necessary for one or more of the following reasons: to fix known security vulnerabilities, to support new features that allow more advanced security policies or to improve performance. Before updating, the administrator should complete some checks. Determine the memory required for the update, and if necessary install additional memory. Set up and test file transfer capability between the administrators host and the router. Schedule the required downtime (usually after regular business hours) for the router to perform the update. After obtaining an update from the router vendor (and verifying its integrity), the administrator should follow procedures similar to the following. Shut down or disconnect the interfaces on the router. Back up the current operating system and the current configuration file to the administrators computer. Load the update for either the operating system or for the configuration file. Perform tests to confirm that the update works properly. If the tests are successful then restore or reconnect the interfaces on the router. If the tests are not successful then back out the update.

3.3.3. Logging
Logging on a router offers several benefits. Using the information in a log, the administrator can tell whether the router is working properly or whether it has been compromised. In some cases, it can show what types of probes or attacks are being attempted against the router or the protected network. Configuring logging on the router should be done carefully. Send the router logs to designated a log host, which is a dedicated computer whose only job is to store logs. The log host should be connected to a trusted or protected network, or an isolated and dedicated router interface. Harden the log host by removing all unnecessary services and accounts. Set the level of logging on the router to one that meets the needs of the security policy, and expect to modify the log settings as the network evolves. The logging level may need to be modified based on how much of the log information is useful. Two areas that should be logged are (1) matches to filter rules that deny access, and (2) changes to the router configuration. The most important thing to remember about logging is that logs must be reviewed regularly. By checking over the logs periodically, you can gain a feeling for the normal behavior of your network. A sound understanding of normal operation and its reflection in the logs will help you to identify abnormal or attack conditions. Accurate timestamps are important to logging. All routers are capable of maintaining their own time-of-day, but this is usually not sufficient. Instead, direct the router to at least two different reliable time servers to ensure accuracy and availability of time information. Direct the logging host to the reliable time servers. Include a timestamp in each log message. This will allow you to trace network attacks more credibly. Finally, consider also sending the logs to write-once media or a dedicated printer to deal with worst case scenarios (e.g. compromise of the log host).

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

3.4. Security Policy for Routers

Routers are an important part of a network, and their security is a vital part of the overall security for the networks they serve. What does it mean for a router to be secure? One simple way to define the security of a router is this: does the operation, configuration, and management of the router satisfy your security policy?

3.4.1. A Conceptual Basis for Router Security Policy

Figure 3, below, shows a layered view of the security of a router. The security of each layer depends on the security of the layers inside it.

Router Security Layers

Physical Integrity of the Router Core Static Configuration of the Router Dynamic Configuration and Status of the Router Network Traffic through the Router

Corresponding Access
# Physical access # Electrical access # Administrative access # Software updates # Routing protocols # Management protocols # Access to the networks that the router serves

Figure 3-4: Layered View of Router Security

The innermost zone is the physical security of the router. Any router can be compromised by an attacker with full physical access; therefore, physical access must be controlled to provide a solid foundation for the overall security of the router. Most routers offer one or more direct connections, usually called Console or Control ports; these ports usually provide special mechanisms for controlling the router. Router security policy should define rules for where and how these ports may be used. The next innermost zone of the diagram is the stored software and configuration state of the router itself. If an attacker can compromise either of these, particularly the stored configuration, then he will also gain control of the outer two layers. Some important aspects of the stored configuration are the interface addresses, the user names and passwords, and the access controls for direct access to the routers command interface. Security policy usually includes strict rules about access to this layer, in terms of both administrative roles and network mechanisms. The next outermost zone of the diagram is the dynamic configuration of the router. The route tables themselves are the most obvious part of this. Other pieces of

UNCLASSIFIED

Version 1.0j

3.4.4. Router Security Policy Checklist

The checklist below is designed as an aid for creating router security policy. After drafting a policy, step down the list and check that each item is addressed in your policy.

UNCLASSIFIED

4. Implementing Security on Cisco Routers

The diagram below shows a simple network configuration. The structures and addresses illustrated here are used for all of the examples in Sections 4, 5, and 6.

eth 0/0

14.2.0.20

Internet

7.12.1.20

Remote

Remote Network 7.0.0.0/8

North
(Perimeter router) eth 0/1

14.1.1.250/16
Authentication Server 14.2.6.18/24

eth 0

eth 1

East 14.1.1.2/16 Facility Network 14.1.0.0/16 14.1.1.20/16

net access

14.2.6.250/24

DNS Server
eth 0/0

modem

LAN 1 14.2.6.0/24
User Host 14.2.6.6/24

14.1.15.250/16

Central
eth 0/1

14.2.9.250/24 Telephone Network

Public Web Server 14.2.9.2/24

LAN 2 14.2.9.0/24
eth 0/0

14.2.9.64/24
Remote Host modem

South
User Host 14.2.9.6/24
eth 0/1

(firewall)

Admin Server 14.2.9.1/24

Mail Server 14.2.9.3/24

14.2.10.64/24

Protected Enclave 14.2.10.0/24

User Host 14.2.10.6/24

FTP & Web Server 14.2.10.2/24

Figure 4-1: Network Diagram for Examples

Figure 4-1 is simply a vehicle for presenting security guidance about routers, it is not a design for a secure network. However, this architecture accurately reflects the kinds of networks found in many organizations.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

4.1.2. Router Software Versions

Cisco issues new IOS versions and upgrades fairly frequently; making it an administrative nightmare to keep all the routers on a large network up to date. Newer versions of IOS fix bugs and vulnerabilities that existed in the older versions, and add new security features. Keep your IOS as up to date as is practical. A second problem is that the early versions of new IOS releases can be less robust than more mature, later versions (i.e. 12.0.1 was an early version of IOS Release 12, while 12.0.9 was a mature version of Release 12). A good approach to this problem is to maintain operational routers with recent, but not cutting-edge, Cisco IOS releases. This will allow others to find the bugs in the newer versions (and get them fixed). The recommended minimum IOS release is IOS 11.3. The recommended newest release would be the most recent GD version that is at least a month old (at the time of this writing, 12.0.12). To check your IOS version, log in and enter the command show version. For more details on IOS upgrades, see Sections 4.5 and 8.3.

4.1.3. Router Configuration and Commands (IOS)

After connecting to a router and initially logging in, the system is in user mode also known as EXEC mode. EXEC mode gives limited access to the command set of the router. Access to all the router commands, including the ability to change the configuration, is reserved for the privileged EXEC mode. Typing the enable command at an EXEC mode prompt will give access to the privileged EXEC mode. Privileged EXEC mode is sometimes called enable mode. There are several configuration modes on a Cisco router. To enter the global configuration mode (config) type the command configure terminal , commonly abbreviated config t. In the global configuration mode a wide variety of overall router features and settings can be changed: banners, authentication systems, access lists, logging, routing protocols, and much more. There are sub-modes which are used to configure specific settings for interfaces, lines, routing protocols, etc. The list below describes some of the sub-modes. ! interface (config-if) is used to configure aspects of a particular interface like FastEthernet0, Ethernet 0/1, or Vlan2. ! line (config-line) is used to set up the console port, auxiliary port and virtual terminal lines. ! access-list: There are two types of IP named access lists, extended (config-ext-n) and standard (config-std-n), which can be used instead of numbered lists. Access-list mode is used for building named access lists. ! route (config-route) is where specific parameters can be set and modified for a selected routing protocol. In addition to the standard authentication, authorization, and logging router functions, Cisco IOS 11.1 and later offer a comprehensive model for authentication, authorization, and accounting (AAA), the so-called new model. See Section 4.1.6 for a brief description and Section 4.6 for more details.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

4.1.4. Logins, Privileges, Passwords, and Accounts Logins

A login banner, which includes a legal notice, should be set up on each operational router.* Network architecture information and router configuration details should not be included in the banner message. Router model and location information should be included only if necessary. Be especially careful not to provide information in the banner message that should not be shared with the general public, or information that is not visible from unprivileged EXEC mode. To set the router's banner use the command: banner motd delimiter message delimiter The console (con) port is the default location for performing router management and configuration. It is okay to leave a connection to the console port attached all the time, but that terminal (or computer) should be standalone, and protected from unauthorized access. The connection to the console port should not be left logged in. Configure the console line to time out, so that if an administrator forgets to log out, the router will log him or her out automatically. Each authorized user should login using their own account (see Accounts sub-section, below). The example below shows how to set up the console line to enforce user login and a five-minute timeout.
Central# config t Enter configuration commands, one per line. Central(config)# line con 0 Central(config-line)# transport input none Central(config-line)# login local Central(config-line)# exec-timeout 5 0 Central(config-line)# end Central# End with CNTL/Z.

Note that, to enforce console login, as shown above, you must create at least one user account, otherwise you will be locked out of the console. If you do not already have users accounts set up, then create at least one before setting the console to use login local. The syntax for creating a local user is username name privilege level password string. The example below shows how to create an account with a password.
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# username brian privilege 1 password g00d+pa55w0rd Central(config)# end Central#

A legal notice usually includes a no trespassing warning, and a statement that all use of the router must be authorized by the owning organization. A proper legal notice protects the ability of the owning organization to pursue legal remedies against an attacker. Consult your organizations legal staff or general counsel for suitable language to use in your legal notice.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

The auxiliary port, if at all possible, should be disabled. Router Central, in the sample network diagram (Figure 4-1), has no need for the aux port. The example below shows how to disable login on the auxiliary port (login to enable mode first):
Central# config t Enter configuration commands, one per line. Central(config)# line aux 0 Central(config-line)# transport input none Central(config-line)# login local Central(config-line)# exec-timeout 0 1 Central(config-line)# no exec Central(config-line)# end Central# End with CNTL/Z.

Section 4.1.5 discusses configuration of the auxiliary port if it is required for a modem. If the auxiliary port is required for a second local serial connection then configure it as shown below.
Central# config t Enter configuration commands, one per line. Central(config)# line aux 0 Central(config-line)# exec-timeout 5 0 Central(config-line)# login local Central(config-line)# transport input none Central(config-line)# exec Central(config-line)# end Central# End with CNTL/Z.

VTYs and Remote Administration

The primary mechanism for remote administration of Cisco routers is logging in via Telnet; these connections are called virtual terminal lines. Login on the virtual terminal lines should be disabled if remote administration is not absolutely necessary. Remote administration is inherently dangerous because anyone with a network sniffer on the right LAN segment can acquire the router passwords and would then be able to take control of the router. To disable network virtual terminal connections to the router, create an access list and apply it to the virtual terminal lines, or use the command transport input none, as shown in the example below. [Note: perform these commands only when connected to the aux or console port, do not perform them while logged into the router via Telnet.]
South# config t Enter configuration commands, one per line. South(config)# no access-list 90 South(config)# access-list 90 deny any log South(config)# line vty 0 4 South(config-line)# access-class 90 in South(config-line)# transport input none South(config-line)# login local South(config-line)# exec-timeout 0 1 South(config-line)# no exec South(config-line)# end South# End with CNTL/Z.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

If remote administration is necessary, see Section 4.1.5 for details on configuring remote administration, and Sections 5.2 and 5.4 for cryptographic mechanisms for protecting the remote administration connections. Most versions of IOS have five virtual terminals, numbered 0 through 4. Some IOS versions (including the versions designated Enterprise) may have 15, 64, or even more. It is important to know how many virtual terminals you have, and to explicitly configure all of them securely. If you do not know how many vtys your router supports, you can list them with the command show line vty as shown below.
South# show line vty 0 ? <1-935> Last Line range summary Quick line status summary | Output modifiers <cr> South# show line vty 0 935 Tty Typ Tx/Rx A Modem Roty AccO AccI 66 VTY 67 VTY 68 VTY 69 VTY 70 VTY 71 VTY 72 VTY South#

Uses Noise Overruns Int 0 0 0/0 0 0 0/0 0 0 0/0 0 0 0/0 0 0 0/0 0 0 0/0 0 0 0/0 -

The seven lines of output from the show line command indicate that the router South has seven virtual terminals, two more than the default complement of five. Normally, you would configure all of the vtys on the router identically. If the router has more vtys than you need, then disable the extra ones, or delete them with the configuration mode command no line vty. The transcript below shows how to delete the extra two vtys on the router South.
South# config t Enter configuration commands, one per line. End with CNTL/Z. South(config)# no line vty 5 South(config)# exit South# show line vty 0 935 Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int 66 VTY 0 0 0/0 67 VTY 0 0 0/0 68 VTY 0 0 0/0 69 VTY 0 0 0/0 70 VTY 0 0 0/0 South#

Privileges
Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. The Cisco IOS comes with 2 predefined user levels. User EXEC mode runs at privilege level 1

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

and enabled mode (privileged EXEC mode) runs at level 15. Every IOS command is pre-assigned to either level 1 or level 15. If the router is configured with aaa new-model then AAA can be used for user authorization (see Section 4.6 for more details). By default Cisco provides EXEC (level 1) with a few commands which may, in terms of security, make more sense being at a higher privilege level. The next example shows how to move the commands to the privileged mode, which in most configurations should be protected better.
Central(config)# Central(config)# Central(config)# Central(config)# Central(config)# Central(config)# Central(config)# privilege privilege privilege privilege privilege privilege privilege exec exec exec exec exec exec exec level level level level level level level 15 connect 15 telnet 15 rlogin 15 show ip access-lists 15 show access-lists 15 show logging 1 show ip

The last line is required to move the show command back down to level 1. For example, a site might want to set up more than the two levels of administrative access on their routers. This could be done by assigning a password to an intermediate level, like 5 or 10, and then assigning particular commands to that privilege level. Deciding which commands to assign to an intermediate privilege level is beyond the scope of this document. But, if an attempt was made to do something like this there are a few things to be very careful about. First, do not use the username command to set up accounts above level 1, use the enable secret command to set a level password instead (see next sub-section). Second, be very careful about moving too much access down from level 15, this could cause unexpected security holes in the system. Third, be very careful about moving any part of the configure command down, once a user has write access they could leverage this to acquire greater access.

Passwords
There are two password protection schemes in Cisco IOS. Type 7 uses the Ciscodefined encryption algorithm which is known to the commercial security community to be weak. Type 5 uses an MD5 hash which is much stronger. Cisco recommends that Type 5 encryption be used instead of Type 7 where possible (see Configuring Passwords and Privileges in the Cisco IOS Security Configuration Guide). Type 7 encryption is used by the enable password, username, and line password commands. ! To protect the privileged EXEC level as much as possible, do not use the enable password command, only use the enable secret command. Even if the enable secret is set do not set the enable password, it will not be used and may give away a system password.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

South# config t Enter configuration commands, one per line. CNTL/Z. South(config)# enable secret 2-mAny-rOUtEs South(config)# no enable password South(config)# end South#

End with

! Because it is not possible to use Type 5 encryption on the default EXEC login or the username command, no user account should be created above privilege level 1. But user accounts should be created for auditing purposes (see Accounts, below). So the username command should be used to create individual user accounts at the EXEC level and then the higher privilege levels should be protected with enable secret passwords. Then users with a need to work at higher levels would be given the higher privilege level password. ! If the login command is used to protect a line then the line password command is the only way to set a password on a line. But if the login local command is used to protect a line then the specified user name/password pair is used. For access and logging reasons the login local method should be used. In addition to the above password access mechanisms, AAA mechanisms may be used to authenticate, authorize, and audit users (see Section 4.6 for details). Good security practice dictates some other rules for passwords. Some of the more important rules are provided in the following list (assuming login local is used on all the lines): ! The privileged EXEC secret password should not match any other user password or any other enable secret password. ! Enable service password-encryption; this will keep passersby from reading your passwords when they are displayed on your screen. ! Be aware that there are some secret values that service passwordencryption does not protect. Never set any of these secret values to the same string as any other password. ! SNMP community strings - for more information about SNMP security see Section 4.5.3. ! RADIUS keys ! TACACS+ keys ! Avoid dictionary words, names, or dates. ! Always include at least one of each of the following: lowercase letters, uppercase letters, digits, and special characters.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

! Make all passwords at least eight characters long. ! Avoid more than 4 digits or same-case letters in a row. See [4] for more detailed guidance on selecting good passwords. Note: enable secret and username passwords may be up to 25 characters long including spaces.

Accounts
First, give each administrator their own login user name for the router. When an administrator logs in with a user name and changes the configuration, the log message that is generated will include the name of the login account which was used. The login accounts created with the username command should be assigned privilege level 1 (see Passwords, above). In addition, do not create any user accounts without passwords! When an administrator no longer needs access to the router, remove their account. The example below shows how to create local user accounts for users named rsmith and bjones, and remove the local user named brian.
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# username rsmith password 3d-zirc0nia Central(config)# username rsmith privilege 1 Central(config)# username bjones password 2B-or-3B Central(config)# username bjones privilege 1 Central(config)# no username brian Central(config)# end Central#

Only allow accounts that are required on the router and minimize the number of users with access to configuration mode on the router. See Section 4.6, which describes AAA, for a preferred user account mechanism.

4.1.5. Remote Access

This document will discuss five connection schemes which can be used for router administration. 1. No Remote administration is performed on the console only. 2. Remote Internal only with AAA administration can be performed on the router from a trusted internal network only, and AAA is used for access control. 3. Remote Internal only administration can be performed on the router from the internal network only. 4. Remote External with AAA administration can be performed with both internal and external connections and uses AAA for access control.

UNCLASSIFIED

router administrators should be given access to the files. Second, if you set passwords in an offline configuration file, then they will be stored in the clear and transferred in the clear. Instead, it is best to type the passwords while on-line (using the console) and then copy the encrypted strings to the offline configuration. This is especially true for the enable secret password. Third, with the configuration files offline the files must be transferred to the router in the relatively secure method. The possible methods for transferring files to a router have increased with newer IOS releases. The primary mechanisms available are the console terminal, telnet, tftp, rcp, and ftp (available for IOS 12.0 and newer). The example below shows how an encrypted enable secret setting would appear in an off-line configuration file. You can obtain the encrypted string by setting the password manually on the router console, then displaying the running configuration, and then copying and pasting the encrypted string into your offline configuration file.
! set the enable secret password using MD5 encryption enable secret 5 $1$fIFcs$D.lgcsUnsgtLaWgskteq.8

Local and Remote Administration

Section 4.1.3 recommends performing local administration. In this case, using the terminal is the best choice for loading a new configuration. The configuration files would be stored on the computer attached to the console and the local machines copy/paste buffer can be used for transferring the configuration to the router. Only a few lines should be copied at a time so it can be determined that the entire configuration file is transferred successfully. [Note: the default Windows NT 4.0 serial communication program, Hyperterminal, performs copy/paste very slowly. On Windows NT and 2000, use a better communication program, such as TeraTerm Pro, if you have one available. On Linux, the minicom program is suitable for Cisco local console access. On Solaris, the tip command can be used.] If remote administration is being allowed and the router is running an IOS older than version 12.0 then using the console connection or a telnet connection is the best choice for administration. The file would again be transferred using the host systems copy/paste buffer to move the information from a file editor to the terminal emulation. If remote administration is allowed and the IOS is newer then version 12.0 then the FTP protocol may be used to transfer the configuration files to and from the router. The following example shows how to save the startup configuration to a file (for emergencies only, not recommended between IOS versions).
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# ip ftp username nsmith Central(config)# ip ftp password 1pace-4ward Central(config)# exit Central# copy startup-config ftp: Address or name of remote host []? 14.2.9.1

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Destination filename [startup-config]? /cisco/central/startupconfig Writing startup-config !! 5516 bytes copied in 12.352 secs (459 bytes/sec) Central#

The next example demonstrates how to load a new configuration to the startup configuration. Before loading a configuration this way make sure that all the configurations in the NVRAM have been saved.
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# ip ftp username nsmith Central(config)# ip ftp password 1pace-4ward Central(config)# exit Central# copy /erase ftp: startup-config Address or name of remote host []? 14.2.9.1 Source filename []? /cisco/central/startup-config Destination filename [startup-config]? Accessing ftp://14.2.9.1/cisco/central/startup-config... Erasing the nvram filesystem will remove all files! Continue? [confirm] [OK] Erase of nvram: complete Loading /cisco/central/startup-config ! central-startup-config ! [OK - 5516/1024 bytes] [OK] 5516 bytes copied in 4.364 secs Central#

The other protocols, such as rcp and tftp, are less secure than FTP and should not be used for loading or saving router configurations. See Section 4.5.5 for details on using tftp if required.

4.1.8. References
[1] Cisco IOS Release 12.0 Security Configuration Guide, Cisco Press, 1999. This is the reference manual and guide for major security features in IOS 12.0. Sections particularly relevant to Router Access Security include: Security Overview, Configuring Passwords and Privileges, and Traffic Filtering and Firewalls. [2] Buckley, A. ed. Cisco IOS 12.0 Configuration Fundamentals, Cisco Press, 1999. This is the reference manual and guide for basic configuration tasks in IOS 12.0. Sections particularly relevant to Router Access Security include: IOS User Interfaces and File Management. [3] Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999. An excellent introduction to basic usage and configuration of IOS routers.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

[4] Password Usage Federal Information Processing Standard Publication 112, National Institute of Standards and Technology, 1985. This federal standard includes some good guidelines on choosing passwords that are difficult to guess. [5] Cisco ISP Essentials, version 2.9, Cisco Systems, June 2001. available under: http://www.cisco.com/public/cons/isp/documents This detailed guide for Internet Service Providers includes good advice and discussion about router access and VTYs. [6] Cisco IOS Dial Services Configuration Guide, Cisco Press, 2000. This is the reference manual and guide for serial line, modem, and dial-in features in IOS 12.0. It includes information about configuring logins, vtys, and more.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

4.2. Router Network Service Security

Cisco routers support a large number of network services at layers 2, 3, 4, and 7, Some of these services can be restricted or disabled, improving security without degrading the operational use of the router. Some of these services are application layer protocols that allow users and host processes to connect to the router. Others are automatic processes and settings intended to support legacy or specialized configurations but which are detrimental to security. As stated in Section 3, general security practice for routers should be to support only traffic and protocols the network needs; most of the services listed below are not needed. Turning off a network service on the router itself does not prevent it from supporting a network where that protocol is employed. For example, a router may support a network where the bootp protocol is employed, but some other host is acting as the bootp server. In this case, the routers bootp server should be disabled. In many cases, Cisco IOS supports turning a service off entirely, or restricting access to particular network segments or sets of hosts. If a particular portion of a network needs a service but the rest does not, then the restriction features should be employed to limit the scope of the service. Turning off an automatic network feature usually prevents a certain kind of network traffic from being processed by the router or prevents it from traversing the router. For example, IP source routing is a little-used feature of IP that can be utilized in network attacks. Unless it is required for the network to operate, IP source routing should be disabled.

4.2.1. Typical Services, Required Services, and Security Risks

The table below lists some of the services offered on Cisco IOS 11.2, 11.3, and 12.0. This list has been kept short by including only those services and features that are security-relevant and may need to be disabled.
Table 4-1: Overview of IOS Features to Disable or Restrict Feature Cisco Discovery Protocol (CDP) TCP small servers UDP small servers Finger Description Proprietary layer 2 protocol between Cisco devices. Standard TCP network services: echo, chargen, etc. Standard UDP network services: echo, discard, etc. Unix user lookup service, allows remote listing of users. Default Enabled 11.3: disabled 11.2: enabled 11.3: disabled 11.2: enabled Enabled Recommendation CDP is almost never needed, disable it. This is a legacy feature, disable it explicitly. This is a legacy feature, disable it explicitly. Unauthorized persons dont need to know this, disable it.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Feature HTTP server

Description Some Cisco IOS devices offer web-based configuration. Service to allow other routers to boot from this one. Router will attempt to load its configuration via TFTP. IP feature that allows packets to specify their own routes. Router will act as a proxy for layer 2 address resolution. Packets can identify a target LAN for broadcasts. Router will forward packets with no concrete route. Router will explicitly notify senders of incorrect IP addresses. Router will send an interfaces IP address mask in response to an ICMP mask request. Router will send an ICMP redirect message in response to certain routed IP packets. Router can act as a time server for other devices and hosts. Routers can support SNMP remote query and configuration. Routers can perform DNS name resolution.

Default Varies by device Enabled

Recommendation If not in use, explicitly disable, otherwise restrict access. This is rarely needed and may open a security hole, disable it. This is rarely used, disable it if it is not in use. This rarely-used feature can be helpful in attacks, disable it. Disable this service unless the router is serving as a LAN bridge. Directed broadcast can be used for attacks, disable it. Certain attacks can benefit from this: disable it unless your net requires it. Can aid network mapping, disable on interfaces to untrusted networks. Can aid IP address mapping; explicitly disable on interfaces to untrusted networks. Can aid network mapping, disable on interfaces to untrusted networks. If not in use, explicitly disable, otherwise restrict access. If not in use, explicitly disable, otherwise restrict access. Set the DNS server address explicitly, or disable DNS.

Bootp server

Configuration auto-loading IP source routing

Disabled Enabled

Proxy ARP

Enabled

IP directed broadcast Classless routing behavior IP unreachable notifications IP mask reply

Enabled
(11.3 & earlier)

Enabled

Disabled

IP redirects

Enabled

NTP service

Enabled (if NTP is

configured)

Simple Network Mgmt. Protocol Domain Name Service

Enabled

Enabled (broadcast)

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

4.2.2. How to Disable Unneeded Features and Services

Each sub-section below describes how to disable or restrict particular services and features under Cisco IOS 11.3 and 12.0.

CDP
The Cisco Discovery Protocol is a proprietary protocol that Cisco routers use to identify each other on a LAN segment. It is useful only in specialized situations, and is considered deleterious to security. To turn off CDP entirely, use the commands shown below in global configuration mode.
Central# config t Enter configuration commands, one per line. Central(config)# no cdp run Central(config)# exit Central# show cdp % CDP is not enabled Central# End with CNTL/Z.

In the unlikely event that CDP is needed for part of a network, it can be enabled and disabled for each interface. To enable CDP use the cdp run command in global configuration mode, and then disable it on each interface where it is not needed using the no cdp enable command in interface configuration mode.

TCP and UDP Small Servers

The TCP and UDP protocol standards include a recommended list of simple services that hosts should provide. In virtually all cases, it is not necessary for routers to support these services, and they should be disabled. The example below shows how to test whether the TCP small servers are running, and how to disable the TCP and UDP small servers.
Central# ! if connect success, then tcp-small-servers are running Central# connect 14.2.9.250 daytime Trying 14.2.9.250, 13 ... Open Monday, April 3, 2000 11:48:39-EDT [Connection to 14.2.9.250 closed by foreign host] Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# no service tcp-small-servers Central(config)# no service udp-small-servers Central(config)# exit Central# connect 14.2.9.250 daytime Trying 14.2.9.250, 13 ... % Connection refused by remote host Central#

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Finger Server
The IOS finger server supports the Unix finger protocol, which is used for querying a host about its logged in users. On a Cisco router, the show users command may be used to list the logged in users. Typically, users who are not authorized to log in to the router have no need to know who is logged in. The example below shows how to test and disable the finger server.
Central# connect 14.2.9.250 finger Trying 14.2.9.250, 79 ... Open Welcome to the CENTRAL router. Line User Host(s) Idle Location 130 vty 0 14.2.9.6 00:00:00 goldfish *131 vty 1 idle 00:00:00 central [Connection to 14.2.9.250 closed by foreign host] Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# no ip finger Central(config)# no service finger Central(config)# exit Central# connect 14.2.9.250 finger Trying 14.2.9.250, 79 ... % Connection refused by remote host Central#

HTTP Server
Newer Cisco IOS releases support web-based remote administration using the HTTP protocol. While the web access features are fairly rudimentary on most Cisco router IOS releases, they are a viable mechanism for monitoring, configuring, and attacking a router. If web-based remote administration is not needed, then it should be disabled as shown below.
Central# config t Enter configuration commands, one per line. CNTL/Z. Central(config)# no ip http server Central(config)# exit Central# connect 14.2.9.250 www Trying 14.2.9.250, 80 ... % Connection refused by remote host Central# End with

Web-based remote administration is useful primarily when intervening routers or firewalls prevent use of Telnet for that purpose. However, it is important to note that both Telnet and web-based remote administration reveal critical passwords in the clear. Further, web-based administration imposes the requirement that users log in at full (level 15) privilege. Therefore, web-based remote administration should be

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

avoided. If web-based administration is examined and found necessary for network operations, then its use should be restricted as follows. ! Set up usernames and passwords for all administrators, as discussed in Section 4.1. The routers web server will use HTTP basic authentication to demand a username and password (unfortunately, Cisco IOS does not yet support the superior HTTP digest authentication standard). If possible, use AAA user access control as described in Section 4.6; AAA will give more control and better audit. ! Create and apply an IP access list to limit access to the web server. Access lists are described in Section 4.3. ! Configure and enable syslog logging as described in Section 4.5.2. The example below illustrates each of these points. Administrators will be allowed to connect from the 14.2.9.0 network and the host 14.2.6.18 only.
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# ! Add web admin users, then turn on http auth Central(config)# username nzWeb priv 15 password 0 C5-A1rCarg0 Central(config)# ip http auth local Central(config)# ! Create an IP access list for web access Central(config)# no access-list 29 Central(config)# access-list 29 permit host 14.2.6.18 Central(config)# access-list 29 permit 14.2.9.0 0.0.0.255 Central(config)# access-list 29 deny any Central(config)# ! Apply the access list then start the server Central(config)# ip http access-class 29 Central(config)# ip http server Central(config)# exit Central#

If possible, protect the HTTP traffic by setting up IPSec, as described in Section 5.2.

Bootp Server
Bootp is a datagram protocol that is used by some hosts to load their operating system over the network. Cisco routers are capable of acting as bootp servers, primarily for other Cisco hardware. This facility is intended to support a deployment strategy where one Cisco router acts as the central repository of IOS software for a collection of such routers. In practice, bootp is very rarely used, and offers an attacker the ability to download a copy of a routers IOS software. To disable bootp service, use the commands shown below.
Central# config t Enter configuration commands, one per line. Central(config)# no ip bootp server Central(config)# exit

End with CNTL/Z.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Configuration Auto-Loading
Cisco routers are capable of loading their startup configuration from local memory or from the network. Loading from the network is not secure, and should be considered only on a network that is wholly trusted (e.g. a standalone lab network). Explicitly disable loading the startup configuration from the network using the commands shown below.
Central# config t Enter configuration commands, one per line. Central(config)# no boot network Central(config)# no service config Central(config)# exit Central# End with CNTL/Z.

IP Source Routing
Source routing is a feature of IP whereby individual packets can specify routes. This feature is used in several kinds of attacks. Cisco routers normally accept and process source routes. Unless a network depends on source routing, it should be disabled on all the nets routers. The example below shows how to disable IP source routing.
Central# config t Enter configuration commands, one per line. Central(config)# no ip source-route Central(config)# exit Central# End with CNTL/Z.

Proxy ARP
Network hosts use the Address Resolution Protocol (ARP) to translate network addresses into media addresses. Normally, ARP transactions are confined to a particular LAN segment. A Cisco router can act as intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple LAN segments. This service is called proxy ARP. Because it breaks the LAN security perimeter, effectively extending a LAN at layer 2 across multiple segments, proxy ARP should be used only between two LAN segments at the same trust level, and only when absolutely necessary to support legacy network architectures. Cisco routers perform proxy ARP by default on all IP interfaces. Disable it on each interface where it is not needed, even on interfaces that are currently idle, using the command interface configuration command no ip proxy-arp . The example below shows how to disable proxy ARP on four Ethernet interfaces.
Central# show ip interface brief Interface IP-Address OK? Method Status Ethernet0/0 14.1.15.250 YES NVRAM up Ethernet0/1 14.2.9.250 YES NVRAM up Protocol up up

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Ethernet0/2 unassigned YES unset down down Ethernet0/3 unassigned YES unset down down Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# interface eth 0/0 Central(config-if)# no ip proxy-arp Central(config-if)# exit Central(config)# interface eth 0/1 Central(config-if)# no ip proxy-arp Central(config-if)# exit Central(config)# interface eth 0/2 Central(config-if)# no ip proxy-arp Central(config-if)# exit Central(config)# interface eth 0/3 Central(config-if)# no ip proxy-arp Central(config-if)# end Central#

IP Directed Broadcast
Directed broadcasts permit a host on one LAN segment to initiate a physical broadcast on a different LAN segment. This technique was used in some old denialof-service attacks, and the default Cisco IOS configuration is to reject directed broadcasts. Explicitly disable directed broadcasts on each interface using the interface configuration command no ip directed-broadcast .

IP Classless Routing
By default, a Cisco router will make an attempt to route almost any IP packet. If a packet arrives addressed to a subnet of a network that has no default network route, then IOS will, with IP classless routing, forward the packet along the best available route to a supernet of the addressed subnet. This feature is often not needed. On routers where IP classless routing is not needed, disable it as shown below.
Central# config t Enter configuration commands, one per line. Central(config)# no ip classless Central(config)# exit End with CNTL/Z.

IP Unreachables, Redirects, Mask Replies

The Internet Control Message Protocol (ICMP) supports IP traffic by relaying information about paths, routes, and network conditions. Cisco routers automatically send ICMP messages under a wide variety of conditions. Three ICMP messages are commonly used by attackers for network mapping and diagnosis: Host unreachable, Redirect, and Mask Reply. Automatic generation of these messages should be disabled on all interfaces, especially interfaces that are connected to untrusted networks. The example below shows how to turn them off for an interface.

Version 1.0j

4.2.5. References
[1] Eldridge, B. Building Bastion Routers Using Cisco IOS, Phrack Magazine, Vol. 9 Issue 55, September 1999. available at: http://www.phrack.com/search.phtml?issueno=55&r=0 A concise and readable article with practical advice on setting up a router at a boundary between a trusted and untrusted network.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

[2] Cisco IOS Version 12.0 Security Configuration, National Y2K Information Coordination Center, September 1999. Short article with some good advice on features to turn off. Cant seem to find it on the web anymore, though. [3] Increasing Security on IP Networks, , Cisco Internetworking Case Studies, Cisco Systems, 1998. available under:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/

Very helpful article from Cisco, includes common-sense measures to take on routers running IOS 11.3. Available from Ciscos web site. [4] Buckley, A. Cisco IOS 12.0 Configuration Fundamentals, Cisco Press, 1999. The sections on Performing Basic System Management and Monitoring the Router and Network include valuable advice on how to configure basic features and services. [5] Cisco IOS Network Protocols Configuration Guide, Part 1, Cisco Press, 1999. The section on IP Addressing and Services includes information about several of the IP services described in this section. [6] Held, G. and Hundley, K. Cisco Security Architectures, McGraw-Hill, New York, 1999. Good overview of Cisco router and TCP/IP architecture, plus excellent coverage of access lists. [7] Franks, J. et. al. HTTP Authentication: Basic and Digest Access Authentication, RFC 2617, June 1999. The standard for HTTP basic authentication used for access control by Cisco IOS web remote administration. [8] Baker, F. ed., Requirements for IP Version 4 Routers, RFC 1812, June 1995. This comprehensive standard describes the services that routers must or may provide, including several of the ones discussed in this section.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

4.3. Access Lists and Filtering

Cisco IOS uses access lists to separate data traffic into that which it will process (permitted packets) and that which it will not process (denied packets). Secure configuration of Cisco routers makes very heavy use of access lists, for restricting access to services on the router itself, and for filtering traffic passing through the router. This section gives a moderately detailed description of access list syntax, with some extensive examples.

4.3.1. Concepts
Access lists on Cisco routers provide packet filtering capability. An access list contains one or more rules. For IP traffic, there are two types of access lists available: standard and extended. Standard access lists only allow source IP address filtering. Extended access lists can permit or deny packets based on their protocols, source or destination IP addresses, source or destination TCP/UDP ports, or ICMP or IGMP message types. Extended access lists also support selective logging. Both standard and extended IP access lists can be applied to router interfaces, vty lines (for remote access), IPSec, routing protocols, and many router features. Only standard IP access lists can be applied to SNMP.

Syntax
The basic structure for an access list rule is shown below. access-list list-number {deny | permit} condition The access list number tells Cisco IOS which access list the rule should be a part of, and what kind of access list it is. The condition field, which is different for each kind of access list, specifies which packets match the rule. Conditions typically involve protocol information and addresses, but do not involve application-level information. The following is the syntax for a statement (rule) in a standard IP access list: access-list list-number {deny | permit} source [source-wildcard] [log] where list-number is the number of the access list and can be any decimal number from 1 to 99. deny denies access if the condition is matched. permit permits access if the condition is matched. source is the IP address of the network or host from which the packet is being sent. source-wildcard is the wildcard bits to be applied to the source.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

The optional keyword log may be applied to log matches to the rule. Note that logging for IP standard access lists is supported in IOS 12.0 and later only. The following is simplified syntax for a statement in an extended IP access list: access-list list-number {deny | permit} protocol source source-wildcard source-qualifiers destination destination-wildcard destination-qualifiers [ log | log-input] where list-number is the number of the access list and can be any decimal number from 100 to 199. deny denies access if the condition is matched. permit permits access if the condition is matched. protocol is the name or number of an IP-related protocol. It can be one of the following keywords: eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp or udp. Or it can be an integer in the range 0 to 255 representing an IP protocol number. (Some protocols allow further qualifiers: source or destination ports can be specified for tcp or udp, and message types can be specified for icmp or igmp.) source is the IP address of the network or host from which the packet is being sent. source-wildcard is the wildcard bits to be applied to the source. The keyword any can be used in place of source and source-wildcard. source-qualifiers are optional details on the packet source, including port numbers and other protocol-specific information. destination is the IP address of the network or host to which the packet is being sent. destination-wildcard is the IP address wildcard bits to be applied to the destination. The keyword any can be used in place of destination and destination-wildcard. destination-qualifiers are optional details on the packet destination, including port numbers and other protocol-specific information. log, if present, causes a message about the packet that matches the statement to be logged, and log-input causes a message that includes the interface (logging is described in Section 4.5.1). Cisco has also created an alternative called named IP access lists for both standard and extended lists. This feature allows you to refer to an access list by name instead of by number. It also provides a convenient way to build lists on-line. The syntax for defining an IP access list by name is shown below. After the list is defined by name, you can add statements beginning with either the permit or deny keyword.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

After the permit or deny keyword the syntax is the same as defined above for either the standard list or the extended list. ip access-list {standard | extended} name where standard specifies a standard IP access list. extended specifies an extended IP access list. name is the name of the access list. The name cannot contain spaces or punctuation and must begin with an alphabetic character.

General Recommendations
Refer to the two tables in Section 3.2.2 that present common services to restrict because they can be used to gather information about an internal network or they have weaknesses that can be exploited. The first table lists those services that should be completely blocked at the router; they should not be allowed across the router in either direction or to the router. The second table lists those services on the internal network or on the router that should not be accessible by external clients. In each access list there must be at least one permit statement. Otherwise, an access list with no permit statements will block all network traffic wherever it is applied. Note that an access list is applied to packets traveling in one direction only. For any connection that requires two-way interaction (e.g., all TCP traffic, some UDP traffic) the access list will only affect approximately half the packets. It is possible however to apply two access lists (one for each direction) for router interfaces, vty lines and routing protocols. The diagram below shows how access lists work when applied to router interfaces, using the router East as an example.

14.1.0.0/16

E th0 14.1.1.20

E ast

E th1 14.2.6.250

14.2.6.0/24

Interface E th0
Inbound Access List
deny
T rash

Interface E th1
permit

permit

14.1.0.0 netw ork

Inbound Access List

deny

14.2.6.0 netw ork

T rash

permit

O utbound Access List

R outing b i

O utbound Access List

permit

Figure 4-2: Conceptual Model for Access Lists on Interfaces

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Use the log keyword at the end of each deny statement in each extended access list, as shown in the example below. This feature will provide valuable information about what types of packets are being denied. Logs of denied packets can be useful for detection and analysis of probes and attacks against a network. Log messages generated by access lists are at log level 6 Informational. Access list log messages always include the access list number, which is usually sufficient to identify the provenance of the traffic. If you might apply the same access list to more than one interface, then use the qualifier log-input instead of log.
East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 102 deny ip any any log-input

Add the following statements at the end of each extended IP access list to deny and to log any packets that are not permitted. These statements include the entire port ranges for TCP and UDP explicitly. This will guarantee that the router will log the values for the source and destination ports for TCP and UDP traffic.
East(config)# access-list 100 deny tcp East(config)# access-list 100 deny udp East(config)# access-list 100 deny ip any any any any any range 0 range 0 range 0 range 0 any log 65535 65535 log 65535 65535 log

Finally, due to limited editing capability on the Cisco router, you cannot easily modify access lists. Thus, whenever you need to change an access list, it is best to build it offline on a separate computer. When the access list is ready you can cut and paste the access list via a connection to the router. Since the original access list is still on the router, you must purge it before adding the updated access list. Below is an example of how to clear an access list.
East(config)# no access-list 100

4.3.2. Filtering Traffic to Router Itself

Access lists are used in a variety of ways to control access to services on the router itself. While it is possible to incorporate access controls for these services into the access lists placed on interfaces, it is typically easier, more reliable, and more efficient to use the specialized facilities that IOS makes available to apply access controls directly to the services themselves. For more information about services on the router, and how to disable unneeded ones, see Section 4.2.

Remote Login (Telnet) Service

There are a number of methods to filter access to the router itself: vty lines, SNMP servers and routing protocols. The vty lines are used for remote access to the router. Typically, a router administrator telnets to one of the vty lines. The following example shows the configuration of an extended IP access list that is applied to the vty lines. This simple IP access list allows the hosts with IP addresses 14.2.6.1 and 14.2.6.18 to connect to the router East via Telnet. The list denies all other connections. It also logs all successful and unsuccessful connections.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

East(config)# access-list 105 permit host 14.2.6.1 any eq 23 log East(config)# access-list 105 permit tcp host 14.2.6.18 any eq 23 log East(config)# access-list 105 deny ip any any log East(config)# line vty 0 4 East(config-line)# access-class 105 in East(config-line)# end

SNMP Service
A Cisco router can be configured to act as a client for SNMP. When SNMP service is enabled on a router, network management tools can use it to gather information about the router configuration, route table, traffic load, and more. Versions 1 and 2 of SNMP are not considered secure due to the lack of strong authentication. Thus, SNMP should be used only on internal or protected networks. The following example shows the configuration of a standard IP access list that is applied to a snmp server. This access list allows the host with IP address 14.2.6.6 to gather SNMP information from the router. The list denies all other connections.
East(config)# access-list 75 permit host 14.2.6.6 East(config)# snmp-server community n3t-manag3m3nt ro 75

For more information about SNMP configuration, see Sections 4.2.2 and 4.5.3.

OSPF Service
Communications between routers for routing table updates involve routing protocols. These updates provide directions to a router on which way traffic should be routed. You can use access lists to restrict what routes the router will accept (in) or advertise (out) via routing protocols. The following example shows the configuration of an extended IP access list applied to the OSPF routing protocol, area 1. With the access list applied, router North will not advertise routes to the 14.2.9.0 network.
North(config)# access-list 10 deny 14.2.9.0 0.0.0.255 any North(config)# access-list 10 permit any North(config)# router ospf 1 North(config-router)# distribute-list 10 out North(config-router)# end

For more information about OSPF security configuration, see Section 4.4.

4.3.3. Filtering Traffic through the Router

The following examples illustrate methods to protect the router or the internal network from attacks. Note: these separate examples should not be combined into one access list because the result would contain contradictions. In the next section an example configuration file is presented that shows one way to combine these methods into access lists. Refer to the network diagram in Figure 4-1 to understand the example interfaces, their IP addresses and the corresponding access lists.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

IP Address Spoof Protection Inbound Traffic

Do not allow any inbound IP packet that contains an IP address from the internal network (e.g., 14.2.6.0), any local host address (127.0.0.0/8), the link-local DHCP default network (169.254.0.0/16), the documentation/test network (192.0.2.0/24), or any reserved private addresses (refer to RFC 1918) in the source field. Also, if your network does not need multicast traffic, then block the IP multicast address range (224.0.0.0/4). Apply this access list to the external interface of the router, as shown in the transcript below.
East(config)# access-list 100 deny ip 14.2.6.0 0.0.0.255 East(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 East(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 East(config)# access-list 100 deny ip 0.0.0.0 0.255.255.255 East(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 East(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 East(config)# access-list 100 deny ip 192.0.2.0 0.0.0.255 East(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 East(config)# access-list 100 deny ip 224.0.0.0 15.255.255.255 East(config)# access-list 100 deny ip host 255.255.255.255 East(config)# access-list 100 permit ip any 14.2.6.0 0.0.0.255 East(config)# interface eth0/0 East(config-if)# description "external interface" East(config-if)# ip address 14.1.1.20 255.255.0.0 East(config-if)# ip access-group 100 in East(config-if)# exit East(config)# interface eth0/1 East(config-if)# description "internal interface" East(config-if)# ip address 14.2.6.250 255.255.255.0 East(config-if)# end any any any any any any any any any any log log log log log log log log log log

Outbound Traffic
Do not allow any outbound IP packet that contains an IP address other than a valid internal one in the source field. Apply this access list to the internal interface of the router. See example rules below.
East(config)# no access-list 102 East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 102 deny ip any any log East(config)# interface eth 0/1 East(config-if)# description "internal interface" East(config-if)# ip address 14.2.6.250 255.255.255.0 East(config-if)# ip access-group 102 in

On most Cisco routers, IOS 12 offers another mechanism for IP address spoof protection: IP unicast reverse-path forwarding verification. Though specialized, and not suitable for all networks, this facility offers good performance and ease of

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

maintenance. Section 4.4.5 shows how to set up reverse-path forwarding verification on routers that support it.

Exploits Protection
This sub-section describes how to use access lists to defeat or discourage several common attacks using IOS traffic filtering capabilities.

TCP SYN Attack

The TCP SYN Attack involves transmitting a volume of connections that cannot be completed at the destination. This attack causes the connection queues to fill up, thereby denying service to legitimate TCP users. The following shows two different scenarios. External Access Blocked The access list rules shown below will block packets from an external network that have only the SYN flag set. Thus, it allows traffic from TCP connections that were established from the internal network, and it denies anyone coming from any external network from starting any TCP connection.
East(config)# access-list 106 permit tcp any 14.2.6.0 0.0.0.255 established East(config)# access-list 106 deny ip any any log East(config)# interface eth 0/0 East(config-if)# description "external interface" East(config-if)# ip access-group 106 in

Limiting External Access with TCP Intercept The access list rules shown below will block packets from unreachable hosts using the TCP intercept feature; thus, it only allows reachable external hosts to initiate connections to a host on the internal network. In intercept mode the router intercepts each TCP connection establishment, and determines if the address from which the connection is being initiated is reachable. If the host is reachable, the router allows the connection to be established; otherwise, it prevents the connection.
East(config)# ip tcp intercept list 107 East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255 East(config)# access-list 107 deny ip any any log East(config)# interface eth 0/0 East(config-if)# description "external interface" East(config-if)# ip access-group 107 in

TCP intercept is a very effective mechanism for protecting hosts on a network from outside TCP SYN attacks, for extensive details consult the Cisco IOS 12 Security Configuration Guide [5]. The TCP intercept feature is available in most, but not all,

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Cisco IOS version 11.3 and 12.0 releases. Note that TCP intercept, while it can be very useful, can also impose significant overhead on router operations. Examine and test the performance burden imposed by TCP intercept before using it on an operational router.

Land Attack
The Land Attack involves sending a packet to the router with the same IP address in the source address and destination address fields and with the same port number in the source port and destination port fields. This attack may cause a denial of service or degraded capability in the router. The example below shows how to prevent this attack.
East(config)# access-list 100 deny ip host 14.1.1.20 host 14.1.1.20 log East(config)# access-list 100 permit ip any any East(config)# interface eth0/0 East(config-if)# description "external interface to 14.1.0.0/16" East(config-if)# ip address 14.1.1.20 255.255.255.0 East(config-if)# ip access-group 100 in East(config-if)# end East#

Smurf Attack
The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet. If a router is positioned to forward broadcast requests to other routers on the protected network, then the router should be configured to prevent this forwarding from occurring. This blocking can be achieved by denying any packets destined for broadcast addresses. The example statements below block all IP traffic from any host to the possible broadcast addresses (14.2.6.255 and 14.2.6.0) for the 14.2.6.0/24 subnet.
East(config)# access-list 110 deny ip any host 14.2.6.255 log East(config)# access-list 110 deny ip any host 14.2.6.0 log

ICMP Message Types and Traceroute

There are a variety of ICMP message types. Some are associated with programs. For example, the ping program works with message types Echo and Echo Reply. Others are used for network management and are automatically generated and interpreted by network devices. For inbound ICMP traffic, block the message types Echo and Redirect. With Echo packets an attacker can create a map of the subnets and hosts behind the router. Also, he can perform a denial of service attack by flooding the router or internal hosts with Echo packets. With ICMP Redirect packets the attacker

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

can cause changes to a hosts routing tables. Otherwise, the other ICMP message types should be allowed inbound. See the example below for inbound ICMP traffic.
East(config)# East(config)# East(config)# East(config)# access-list access-list access-list access-list 100 100 100 100 deny icmp any any echo log deny icmp any any redirect log deny icmp any any mask-request log permit icmp any 14.2.6.0 0.0.0.255

For outbound ICMP traffic, one should allow the message types Echo, Parameter Problem, Packet Too Big, and Source Quench and block all other message types. With Echo packets users will be able to ping external hosts. Parameter Problem packets and Source Quench packets improve connections by informing about problems with packet headers and by slowing down traffic when it is necessary. Packet Too Big is necessary for Path MTU discovery. The example below shows a set of filter rules for outbound ICMP traffic that permit these message types.
East(config)# access-list 102 permit East(config)# access-list 102 permit parameter-problem East(config)# access-list 102 permit packet-too-big East(config)# access-list 102 permit East(config)# access-list 102 deny icmp any any echo icmp any any icmp any any icmp any any source-quench icmp any any log

Another program that deals with certain ICMP message types is traceroute. Traceroute is a utility that prints the IP addresses of the routers that handle a packet as the packet hops along the network from source to destination. On Unix and Linux operating systems, traceroute uses UDP packets and causes routers along the path to generate ICMP message types Time Exceeded and Unreachable. An attacker can use traceroute response to create a map of the subnets and hosts behind the router, just as they could do with pings ICMP Echo Reply messages. Therefore, block inbound traceroute including a rule in the inbound interface access list, as shown in the example below (ports 33400 through 34400 are the UDP ports commonly used for traceroute).
East(config)# access-list 100 deny udp any any range 33400 34400 log

A router may be configured to allow outbound traceroute by adding a rule to the outbound interface access list, as shown in the example below.
East(config)# access-list 102 permit udp any any range 33400 34400 log

Distributed Denial of Service (DDoS) Attacks

Several high-profile DDoS attacks have been observed on the Internet. While routers cannot prevent DDoS attacks in general, it is usually sound security practice to discourage the activities of specific DDoS agents (a.k.a. zombies) by adding access list rules that block their particular ports. The example below shows access list rules for blocking several popular DDoS attack tools. [Note that some of these rules may

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

also impose a slight impact on normal users, because they block high-numbered ports that legitimate network clients may randomly select. Therefore, you may choose to apply these rules only when an attack has been detected. Otherwise, these rules would normally be applied to traffic in both directions between an internal or trusted network and an untrusted network.]
! the TRINOO DDoS systems access-list 170 deny tcp any any eq 27665 log access-list 170 deny udp any any eq 31335 log access-list 170 deny udp any any eq 27444 log ! the Stacheldraht DDoS system access-list 170 deny tcp any any eq 16660 log access-list 170 deny tcp any any eq 65000 log ! the TrinityV3 system access-list 170 deny tcp any any eq 33270 log access-list 170 deny tcp any any eq 39168 log ! the Subseven DDoS system and some variants access-list 170 deny tcp any any range 6711 6712 log access-list 170 deny tcp any any eq 6776 log access-list 170 deny tcp any any eq 6669 log access-list 170 deny tcp any any eq 2222 log access-list 170 deny tcp any any eq 7000 log

The Tribe Flood Network (TFN) DDoS system uses ICMP Echo Reply messages, which are problematic to block because they are the heart of the ping program. Follow the directions in the ICMP sub-section, above, to prevent at least one direction of TFN communication.

4.3.4. Turbo Access Control Lists

Some Cisco router models support compiled access control lists, called turbo ACLs, in IOS 12.1(6), and later. Using compiled access control lists can greatly reduce the performance impact of long lists. To enable turbo access lists on a router, use the configuration mode command access-list compiled. (If your IOS does not support compiled access lists, the command will generate an error.) Once this facility is enabled, IOS will automatically compile all suitable access lists into fast lookup tables, while preserving their matching semantics. Once you have enabled turbo access lists, you can view statistics about them using the command show access-list compiled. If you apply access lists with more than 5 rules to any high-speed interfaces, then you should employ this feature to improve performance.

4.3.5. Example Configuration File

The configuration file shown below is not a complete configuration file. Rather, it provides an example for using access lists on a Cisco router. The diagram below shows the topology that this file is based on. The security policy implemented with the access lists allows most traffic from the internal network to the external network. The policy restricts most traffic from the external network to the internal network.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Other Networks

East
Interface Eth 0 14.1.1.20/16 Interface Eth 1 14.2.6.250/24

Protected Network 14.2.6.0/24

hostname East ! interface Ethernet0 description Outside interface to the 14.1.0.0/16 network ip address 14.1.1.20 255.255.0.0 ip access-group 100 in ! interface Ethernet1 description Inside interface to the 14.2.6.0/24 network ip address 14.2.6.250 255.255.255.0 ip access-group 102 in ! router ospf 44 network 14.1.0.0 0.0.255.255 area 0 network 14.2.6.0 0.0.0.255 area 1 ! ! access-list 75 applies to hosts allowed to gather SNMP info ! from this router no access-list 75 access-list 75 permit host 14.2.6.6 access-list 75 permit host 14.2.6.18 ! ! access-list 100 applies to traffic from external networks ! to the internal network or to the router no access-list 100 access-list 100 deny ip 14.2.6.0 0.0.0.255 any log access-list 100 deny ip host 14.1.1.20 host 14.1.1.20 log access-list 100 deny ip 127.0.0.0 0.255.255.255 any log access-list 100 deny ip 10.0.0.0 0.255.255.255 any log access-list 100 deny ip 0.0.0.0 0.255.255.255 any log access-list 100 deny ip 172.16.0.0 0.15.255.255 any log access-list 100 deny ip 192.168.0.0 0.0.255.255 any log access-list 100 deny ip 192.0.2.0 0.0.0.255 any log access-list 100 deny ip 169.254.0.0 0.0.255.255 any log access-list 100 deny ip 224.0.0.0 15.255.255.255 any log access-list 100 deny ip any host 14.2.6.255 log access-list 100 deny ip any host 14.2.6.0 log access-list 100 permit tcp any 14.2.6.0 0.0.0.255 established access-list 100 deny icmp any any echo log access-list 100 deny icmp any any redirect log access-list 100 deny icmp any any mask-request log access-list 100 permit icmp any 14.2.6.0 0.0.0.255 access-list 100 permit ospf 14.1.0.0 0.0.255.255 host 14.1.1.20 access-list 100 deny tcp any any range 6000 6063 log access-list 100 deny tcp any any eq 6667 log

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

access-list 100 deny tcp any any range 12345 12346 log access-list 100 deny tcp any any eq 31337 log access-list 100 permit tcp any eq 20 14.2.6.0 0.0.0.255 gt 1023 access-list 100 deny udp any any eq 2049 log access-list 100 deny udp any any eq 31337 log access-list 100 deny udp any any range 33400 34400 log access-list 100 permit udp any eq 53 14.2.6.0 0.0.0.255 gt 1023 access-list 100 deny tcp any range 0 65535 any range 0 65535 log access-list 100 deny udp any range 0 65535 any range 0 65535 log access-list 100 deny ip any any log ! ! access-list 102 applies to traffic from the internal network ! to external networks or to the router itself no access-list 102 access-list 102 deny ip host 14.2.6.250 host 14.2.6.250 log access-list 102 permit icmp 14.2.6.0 0.0.0.255 any echo access-list 102 permit icmp 14.2.6.0 0.0.0.255 any parameter-problem access-list 102 permit icmp 14.2.6.0 0.0.0.255 any packet-too-big access-list 102 permit icmp 14.2.6.0 0.0.0.255 any source-quench access-list 102 deny tcp any any range 1 19 log access-list 102 deny tcp any any eq 43 log access-list 102 deny tcp any any eq 93 log access-list 102 deny tcp any any range 135 139 log access-list 102 deny tcp any any eq 445 log access-list 102 deny tcp any any range 512 518 log access-list 102 deny tcp any any eq 540 log access-list 102 permit tcp 14.2.6.0 0.0.0.255 gt 1023 any lt 1024 access-list 102 permit udp 14.2.6.0 0.0.0.255 gt 1023 any eq 53 access-list 102 permit udp 14.2.6.0 0.0.0.255 any range 33400 34400 log access-list 102 deny tcp any range 0 65535 any range 0 65535 log access-list 102 deny udp any range 0 65535 any range 0 65535 log access-list 102 deny ip any any log ! ! access-list 150 applies to remote access from specific hosts ! (14.2.6.10, 14.2.6.11 and 14.2.6.12) to the router itself no access-list 150 access-list 150 permit tcp host 14.2.6.10 host 0.0.0.0 eq 23 log access-list 150 permit tcp host 14.2.6.11 host 0.0.0.0 eq 23 log access-list 150 permit tcp host 14.2.6.12 host 0.0.0.0 eq 23 log access-list 150 deny ip any any log ! snmp-server community n3t-manag3m3nt ro 75 ! line vty 0 4 access-class 150 in password 7 123456789012345678901234 login transport input telnet

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

4.3.6. References
[1] Chapman, D. Brent and Zwicky, Elizabeth D., Building Internet Firewalls, OReilly Associates, 1995. This text provides valuable information on how to packet filter many of the commonly used services, e.g., SMTP, FTP, Telnet, etc. [2] Karrenberg, D., Moskowitz, B. and Rekhter, Y. Address Allocation for Private Internets, RFC 1918,, February 1996. This RFC describes the IP address allocation for private intranets. The Internet Assigned Numbers Authority has reserved the following three blocks of the IP address space for private intranets: 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255. [3] Held, G., and Hundley, K., Cisco Access List Field Guide, McGraw-Hill, 1999. This book offers detailed information and examples on access list syntax and usage. [4] Held, G., and Hundley, K., Cisco Security Architectures, McGraw-Hill, 1999 This book includes a good introduction to router security, and a good primer on access lists [5] Cisco IOS Release 12.0 Security Configuration Guide, Cisco Press, 1999. This is the reference manual and guide for major security features in IOS 12.0. It includes information on TCP Intercept, reflexive access lists, and dynamic access lists. [6] Ferguson, P. and Senie, D. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, RFC 2827, 2000. This Internet Best Current Practice RFC gives a good overview of source address filtering. [7] Cisco ISP Essentials, version 2.9, Cisco Systems, June 2001. available under: http://www.cisco.com/public/cons/isp/documents This detailed guide includes advice about setting up access lists in a variety of contexts, and a good discussion of performance considerations.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

4.4. Routing and Routing Protocols

A protocol is a formal description of a set of rules and conventions that govern how devices on a network exchange information.[5] This section will discuss two basic types of protocols, with a focus on the latter. The two types of protocols are: ! Routed protocols These are protocols that can be routed by a router. The routed protocol allows the router to correctly interpret the logical network. Some examples of routed protocols are IP, IPX, AppleTalk, and DECnet. ! Routing protocols A routing protocol gathers information about available networks and the distance, or cost, to reach those networks.[7] These protocols support routed protocols and are used to maintain routing tables. Some examples of routing protocols are OSPF, RIP, BGP, and IGRP. All of the examples in this section are based on the sample network architecture shown in Figure 4-1. Routed Protocols The most commonly used routed network protocol suite is the TCP/IP suite; its foundation is the Internet Protocol (IP). This section will not provide an in-depth discussion of this protocol, as that is far beyond the scope of this guide, consult [6] for a detailed introduction. ARPA developed IP over twenty-five years ago under the ARPANET project. Today, it has grown in popularity and is the basis for the worldwide Internet. Its growth and popularity can be attributed to IPs ability to connect different networks regardless of different physical environments, and the flexible and open nature of the IP network architecture. IP is designed for use on large networks; using IP, a connected host anywhere on a network can communicate with any other. (In practice, software applications running on hosts almost never use raw IP to communicate. Instead, they use one of two transport-layer protocols built on top of IP: the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP). Whether applications use TCP or UDP is immaterial to routing, which takes place exclusively at the IP layer.) Further, each IP host does not need to know a path through the network to every other host. Each host only needs to know the address of one or a small number of routers. These routers are responsible for ensuring that each IP packet reaches its intended destination. In a small network, each router can simply be connected directly to every other router. For larger networks, of course, connecting every router to every other would be prohibitively expensive. Instead, each router maintains a route table with information about how to forward packets to their destination addresses. Correct, efficient, and secure operation of any large IP network depends on the integrity of its route tables.

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Route Tables and Routing Protocols A routers primary responsibility is to send a packet of data to the intended destination. To accomplish this, each router needs a route table. Each router builds its table based on information from the network and from the network administrators. The router then uses a set of metrics, depending on the contents of the table and its routing algorithm, to compare routes and to determine the best path to a destination. Routers use four primary mechanisms for building their route tables: 1. Direct connection: Any LAN segment to which the router is directly connected is automatically added to the route table. For example, the router Central is connected to the LAN segment 14.2.9.0/24. 2. Static routing. A network administrator can manually instruct a router to use a given route to a particular destination. This method takes precedence over any other method of routing. 3. Dynamic routing. Uses router update messages from other routers to create routes. The routing algorithm associated with the particular routing protocol determines the optimal path to a particular destinations, and updates the route table. This method is the most flexible because it can automatically adapt to changes in the network. 4. Default routing. Uses a manually entered route to a specific gateway of last resort when route is not known by any other routing mechanism. This method is most useful for routers that serve as the sole connection between a small LAN and a large network like the Internet. Routers that depend on a single default gateway usually do not use routing protocols. Although many different dynamic routing protocols exist, this section focuses on only two: RIP and OSPF. These two are the most widely used standard routing protocols. RIP, the Routing Information Protocol, is an example of a distance vector based protocol. OSPF, or Open Shortest Path First, is an example of a link state protocol. The table below provides a short comparison.
Table 4-2 RIP v. OSPF

RIP

Distance vector protocol: maintains a list of the distances to other networks measured in hops, the number of routers a packet has to traverse in order to reach its destination. Limited in scale because any distance greater than 15 hops is inaccessible. Broadcasts updates every 30 seconds to all neighboring RIP routers to maintain integrity. Each update is a full route table. Link state protocol: uses a link speed-based metric to determine paths to other networks. Each router maintains a simplified map of the entire network. Updates are sent via multicast, and are sent only when the network configuration changes. Each update only includes changes to the network.

OSPF

UNCLASSIFIED

Version 1.0j

4.4.3. Routing tables, static routes, and routing protocols

This section describes how to protect routers from some common routing hazards.

Router Neighbor Authentication

The primary purpose of router neighbor authentication is to protect the integrity of a routing domain. In this case, authentication occurs when two neighboring routers exchange routing information. Authentication ensures that the receiving router incorporates into its tables only the route information that the trusted sending router really intended to send. It prevents a legitimate router from accepting and then employing unauthorized, malicious, or corrupted routing updates that would compromise the security or availability of a network. Such a compromise might lead to re-routing of traffic, a denial of service, or simply giving access to certain packets of data to an unauthorized person.

OSPF Authentication
OSPF provides authentication to prevent routing attacks. Each router accomplishes authentication by the exchange of an authentication key. That is, routers connected to the same network segment all use a shared secret key. Each sending router then uses this key to sign each OSPF update message. The receiving router checks the shared secret to determine whether the message should be accepted. OSPF uses two types of neighbor authentication: plaintext and message digest (MD5). Plaintext authentication uses a shared secret key known to all the routers on the network segment. When a sending router builds an OSPF packet, it signs the packet by placing the key as plaintext in the OSPF header. The receiving router then compares the received key against the key in memory. If the keys match, then the router accepts the packet. Otherwise, the router rejects the packet. This method does

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

not provide much security because the key is in plaintext in the packet. Using this method reveals the secret key to any attacker using a network sniffer on the right LAN segments. Once an attacker captures the key, they can pose as a trusted router. The second, and more secure method, is message digest authentication. The figure below shows the example network from Figure 4-1 with its routing protocols.

Internet
eth0/0

North
eth0/1

14.1.1.250/16

OSPF Area 0

Facility Network 14.1.0.0/16

eth1 eth0

14.1.1.20/16

East

14.2.6.250/24

eth0/0

14.1.15.250/16

14.2.6.0/24

Central
eth0/1

Autonomous System Border Router (ASBR)

14.2.9.250/24

RIP

Second Floor 14.2.9.0/24

eth0/0

14.2.9.64/24

South
eth0/1

14.2.10.250/24

14.2.10.0/24

Figure 4-3: A Simple OSPF Routing Architecture

In this example, routers North, East, and Central all share the same secret key, r0utes-4-all, with a Key ID of 1. Each of these routers authenticates to each other using the MD5 message digest authentication method, whose cryptographic authentication type is denoted by a value of 2. Figure 4-4 shows how East authenticates to North. East first builds an OSPF packet, both header and body. It then picks a primary key to use on the network segment. In this case, the key is r0utes-4-all, as noted earlier. The corresponding Key ID, 1, is placed in the header. The cryptographic authentication algorithm produces a 16-byte result, which is also placed in the header. A 32-bit sequence number, generated by East, is placed

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

in the header. This sequence number protects against replay attacks so that no two OSPF packets will have the same hash value. The sequence number is incremented with every new packet. Finally, the secret key is appended to the packet. East then runs the cryptographic hash algorithm, MD5, against the OSPF packet. The output of the function, or the signature, is written over the secret that was appended to the packet. The receiving router, North, looks at the Key ID to determine which key was used to generate the hash, or signature. The router then uses its own key to regenerate the hash on the received packet in the same manner as the sending router. If the regenerated hash matches the hash that was sent from East, then the North trusts the packet. Otherwise, it rejects the packet as being invalid.
OSPF Version OSPF pkt type OSPF Version OSPF pkt type OSPF length Source OSPF Router ID OSPF length Source OSPF Router ID

OSPF Area ID 0 (no checksum) 2 (cryptographic auth type) 0 1 (Key ID) 16 (MD5 len)
MD5 hash algorithm

OSPF Area ID 0 (no checksum) 2 (cryptographic auth type) 0 1 (Key ID) 16 (MD5 len)

Cryptographic sequence number OSPF packet body

16-byte secret ROUTER

MD5 Cryptographic hash or signature

Figure 4-4: OSPF Calculation of an MD5 Authentication Signature (from [4])

OSPF Plaintext Authentication

This method is not recommended, use the superior MD5 method, below. OSPF MD5 Authentication The example below illustrates an example of using MD5 for OSPF router neighbor authentication. The example transcripts below show routers North and East receiving the key r0utes-4-all. In practice, all the routes connected to a given network must be configured in the same way, using the same key. Using the example network shown in Figure 4-1, router Central would also have to be configured with MD5 authentication and the same shared key shown below.

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

UNCLASSIFIED

Implementing Security on Cisco Routers

Central will be using the key chain CENTRAL-KEYCHAIN that was created earlier. Furthermore, Central will be using the MD5 method of authentication.
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# int ethernet0/1 Central(config-if)# ip rip authentication key-chain CENTRAL-KEYCHAIN Central(config-if)# ip rip authentication mode md5 Central(config-if)# end Central# South# config t Enter configuration commands, one per line. End with CNTL/Z. South(config)# int ethernet0/0 South(config-if)# ip rip authentication key-chain SOUTHKEYCHAIN South(config-if)# ip rip authentication mode md5 South(config-if)# end South#

Key Management
The strength of both of these methods, RIP and OSPF neighbor authentication, depends on two factors: the secrecy of the keys and the quality of the keys. A keys secrecy is intact only if it is known by the trusted routers, but hidden from any attacker. The best method for distributing keys to trusted routers is to do it manually. The other issue with maintaining secrecy is the question of How many keys should be used in the routing domain? That is, whether one key should be used for the entire routing domain, or a separate key for each router neighbor-to-neighbor connection. Using a separate key for each router neighbor-to-neighbor connection can become an administrative nightmare, so using a common key for the entire routing domain is recommended. However, maintaining the secrecy of the key becomes much more important, because failure to do so can compromise the entire network. The other factor that authentication relies on is the quality of the keys. The rules for generating good passwords apply to generating good keys as well. See Section 4.1 for a detailed description.

Static Routes
Static routes are manually configured on the router as the only path to a given destination. These routes typically take precedence over routes chosen by dynamic routing protocols. In one sense, static routes are very secure. They are not vulnerable to spoofing attacks because they do not deal with router update packets. Exclusively using static routes will make network administration extremely difficult. Also, configuring a large network to use only static routes will can make the availability of large pieces

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

of the network subject to single points of failure. Static routes cannot handle events such as router failures. A dynamic routing protocol, however, such as OSPF, can correctly re-route traffic in the case of a router failure. In most cases, static routes take precedence over their dynamic counterparts. However, if an administrative distance is specified, then that static route can be overridden by dynamic information. For example, OSPF-derived routes have a default administrative distance of 110. Thus a static route must have an administrative distance greater than 110 if the OSPF derived route is to have precedence over the static route. Static routes have a default administrative distance of 1. The following example illustrates how to create a static route with a higher administrative distance than OSPF. For more information on the internal workings of static routes, consult [7].
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# ip route 14.2.6.0 255.255.255.0 14.1.1.20 120 Central(config)# end Central#

Convergence
Reducing the convergence time (the time it takes for all routers to learn of a change in the network) can improve the level of security. If an attacker creates a spoofed route to redirect traffic, then reducing the convergence time will cause that false route to die quickly, unless the attacker continues to send routing updates. However, constantly sending routing updates will likely expose the identity of the infiltrator. In either case, different aspects of network security will be addressed. As a cautionary note, reducing convergence time, especially when using RIP, will increase network load. The default settings have been selected to provide optimal performance. The example below illustrates how to reduce convergence on an OSPF and RIP network. The timers for OSPF can be viewed by using the show ip ospf pid command and the show ip ospf interface interface command.
Central# show ip ospf 1 . . SPF schedule delay 5 secs, Hold time between two SPFs 10 secs . . Central# show ip ospf interface ethernet0/0 Ethernet0/0 is up, line protocol is up Internet Address 192.168.20.150/24, Area 1 Transmit Delay is 1 sec, State DROTHER, Priority 1

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

. . Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 . .

The output of the show ip ospf pid command shows that OSPF on Central will perform an SPF (Shortest Path First) calculation 5 seconds after it receives a topology change. If this value is 0, then Central starts an SPF calculation after receiving a topology change. It will also wait 10 seconds between two consecutive SPF calculations. If this value is 0, then two consecutive SPF calculations can be done without any waiting period. Reducing both of these timers causes routing to switch to an alternate path more quickly in the event of a failure. The output of the show ip ospf interface interface command shows that the time between Hello packets on interface ethernet0/0 is 10 seconds. The Dead interval, which is 40 seconds in the example, is the time hello packets must not have been seen before Central declares its neighbor dead. The Retransmit interval is the time between LSA (Link State Advertisement packets sent by OSPF) retransmissions. This time, which is 5 seconds, must be greater than the expected round trip between Central and any other router on the same network. Otherwise, the routers will be sending needless LSA packets. The Transmit Delay is the time in seconds that Central will take to transmit a link-state update packet. If the Hello-interval and Dead-interval are modified on a router, then all other OSPF routers on that network must be changed as well. That is, all routers on that network must have the same Hello-interval and Dead-interval. The example below shows how to modify OSPF timers. The first modification sets the SPF calculation delay to 1 second and the delay between two consecutive SPF calculations to 4 seconds. The second modification sets the Hello-interval to 5 seconds, the Dead-interval to 20 seconds, the Retransmit-interval to 8 seconds, and the Transmit-delay to 6 seconds.
Central# config t Central(config)# router ospf 1 Central(config-router)# timers spf 1 4 Central(config-router)# end Central# show ip ospf . . SPF schedule delay 1 secs, Hold time between two SPFs 4 secs . . Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# interface ethernet0/0

Version 1.0j

UNCLASSIFIED

Router Security Configuration Guide

UNCLASSIFIED

Central(config-if)# ip ospf hello-interval 5 Central(config-if)# ip ospf dead-interval 20 Central(config-if)# ip ospf retransmit-interval 8 Central(config-if)# ip ospf transmit-delay 6 Central(config-if)# end Central# show ip ospf interface ethernet0/0 Ethernet0/0 is up, line protocol is up Internet Address 192.168.20.150/24, Area 1 Transmit Delay is 6 sec, State DR, Priority 1 . . Timer intervals configured, Hello 5, Dead 20, Wait 20, Retransmit 8 Hello due in 00:00:02 . .

Similarly, the timers for RIP can be viewed by using the show ip protocols command.
Central# show ip protocols . . . Routing Protocol is "rip" Sending updates every 30 seconds, next due in 22 seconds Invalid after 180 seconds, hold down 180, flushed after 240 . . .

In its current configuration, RIP routing updates are sent every 30 seconds. If no update is received within 180 seconds, then the route is declared invalid. The hold down time is the time that a route will remain in the routing table before a new route is accepted. The flush time is the amount of time that a route will remain in the routing table before it is removed if no update to that route is received. The sleep time, which is not shown, is the amount of time, measured in milliseconds, an update will be delayed before transmission. The example shows how to modify the RIP timers.
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# router rip Central(config-router)# timers basic 20 120 150 230 3 Central(config-router)# end Central# show ip protocols . . Routing Protocol is "rip" Sending updates every 20 seconds, next due in 6 seconds Invalid after 120 seconds, hold down 150, flushed after 230 . .

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

In general, OSPF is preferable to RIP. It is also possible to redistribute OSPF routes over RIP, and this is preferable to running RIP on an entire large network. For details on this topic, consult [2] Chapter 13.

4.4.4. Disabling unneeded routing-related services

Passive Interfaces
The passive-interface command is used to prevent other routers on the network from learning about routes dynamically. It can also be used to keep any unnecessary parties from learning about the existence of certain routes or routing protocol used. It is typically used when the wildcard specification on the network router configuration command configures more interfaces than desirable. The example below illustrates such a case.
Router1# show config . . interface ethernet0 ip address 14.1.15.250 255.255.0.0 ! interface ethernet1 ip address 14.2.13.150 255.255.0.0 ! interface ethernet2 ip address 14.3.90.50 255.255.0.0 ! router ospf 1 network 14.0.0.0 0.0.0.255 area 0 passive-interface ethernet2 . .

When used on OSPF, this command blocks routing updates from being sent or received on an interface. In the example above, OSPF has been enabled to run on all subnets of 14.0.0.0. However, by using the passive-interface ethernet2 command, OSPF will run only on interfaces ethernet0 and ethernet1. An alternative method to this is to simply not enable OSPF on certain interfaces. The example below illustrates a configuration that does that.
Router1# show config . . interface ethernet0 ip address 14.1.15.250 255.255.0.0 ! interface ethernet1 ip address 14.2.13.150 255.255.0.0 ! interface ethernet2 ip address 14.3.90.50 255.255.0.0 ! router ospf 1

4.4.5. Unicast Reverse-Path Forwarding Verification

Most Cisco routers running IOS 12.0 and later support a routing-based filtering feature called IP unicast reverse-path forward (Unicast RPF) verification. When this feature is enabled on an interface, the router uses its routing tables to decide whether to accept or drop individual packets arriving on the interface. As noted in Section 4.3, it is good security practice to reject a packet with a spoofed source address. Unicast reverse-path verification supports rejecting such packets, and in some cases it offers significant advantages of using access lists for that purpose. Unicast reverse-path verification is not enabled by default; you must explicitly apply it to each interface where you want verification to be done. Used correctly, and in situations where it applies, unicast RPF verification prevents most forms of IP address spoofing.

How Does Unicast Reverse-Path Verification Work?

All routers maintain a routing table that lets them decide how to forward packets. Unicast reverse-path verification uses the routing table to decide whether a packet with a particular source address is valid: if the interface on which the packet with address A.B.C.D was received is the one that the router would use to send a packet to A.B.C.D, then the packet is considered good, otherwise it is bad. Good packets are forwarded normally, bad packets are discarded. Figure 4-5 shows two packets arriving at the router Central on its inside interface, Eth0/1. The first packet bears a proper source address, it is from a host behind the South router. The second packet bears a spoofed source address, it might have been generated by a piece of malicious software surreptitiously installed somewhere on LAN 2. For packet 1, the router looks up its source address, 14.2.10.2, in the routing table. It finds the interface Eth 0/1, which is the interface on which packet 1 has arrived. This is a match, so the router forwards packet 1 normally out interface Eth 0/0. For packet 2, the router looks up its source address, 7.12.1.20, in the routing table. It finds interface Eth 0/0, which is not the interface on which packet 2 has arrived. Because the packet has arrived on the wrong interface, it fails unicast reverse-path verification, and the router discards the packet.

Version 1.0j

UNCLASSIFIED

101

Router Security Configuration Guide

UNCLASSIFIED

14.1.0.0/16

Eth0/0 14.1.15.250

Central

Eth0/1 14.2.9.250

14.2.9.0/24

Pa c

ke t

Interface Eth0/0

Trash

Interface Eth0/1
Packet 1 src=14.2.10.2 dest=10.6.5.9

Packet 1 Destination Gateway Interface

14.2.9.0/24 14.2.10.0/24 14.2.6.0/24 14.1.0.0/16 0.0.0.0/0

-14.2.9.64 14.1.1.20 -14.1.1.250

Eth 0/1 Eth 0/1 Eth 0/0 Eth 0/0 Eth 0/0

Packet 2 src=7.12.1.20 dest=7.12.1.20

Routing Table

Figure 4-5: IP Unicast RPF Verification

Because unicast RPF verification uses the routing table, it automatically adjusts to most changes in network structure. Access lists, while more broadly applicable, also require more maintenance.

When to Use Unicast Reverse-Path Verification

This facility can be very useful for rejecting packets with improper IP source addresses, but only when the network architecture permits it to be used. Avoid unicast RPF verification if any of the following conditions apply; use access lists instead. ! Router uses asymmetric routes if any of the interfaces on the router participate in asymmetric routes (one interface for sending, and a different one for receiving), then simple unicast RPF verification must not be used. It will incorrectly reject packets arriving on the receive leg of the asymmetric route. Cisco has stated that future versions of IOS will perform unicast RPF correctly in these cases [11]. ! Router does not support CEF according to the Cisco documentation, unicast reverse-path verification depends on Cisco Express Forwarding. If your router does not or cannot support CEF, then you cannot use unicast RPF. Unicast RPF verification is best suited for routers that act as part of the security boundary between two networks (e.g. a filtering router between a LAN and the

102

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Internet). Used properly, it can provide better performance than an access list for ingress and egress address filtering. For more details on how and where to apply unicast RPF verification, consult [10].

Configuring Unicast Reverse-Path Verification

Unicast RPF verification depends on a particular routing mode called Cisco Express Forwarding (CEF). Therefore, to use unicast RPF, first enable CEF, and then enable verification on the desired interfaces. The transcript below shows how to enable verification on the router Central.
Central# config t Central(config)# ip cef Central(config)# interface eth 0/0 Central(config-if)# ip verify unicast reverse-path Central(config-if)# exit

Cisco routers equipped with Versatile Interface Processors (VIPs) may require you to enable CEF with the command ip cef distributed instead of the simple version shown above. Consult [10] for details about CEF requirements. To check whether unicast RPF is enabled on a particular interface, or to view statistics about dropped packets, use show ip cef interface interface-name. To disable unicast RPF, enter interface configuration mode, as shown above, and use the command no ip verify unicast reverse-path. Note that you must not turn off CEF while unicast RPF is enabled.

Unicast Reverse-Path Verification and Access Lists

Cisco IOS version 12.1 and later include significant enhancements to unicast RPF. In particular, access lists may be applied to RPF. When a packet fails reverse-path verification, then the access lists are applied. If the access list denies the packet, then it is dropped. If the access list permits the packet, then it is forwarded. Thus, the access list allows you to create exceptions to unicast RPFs usual functioning. Also, if the access list rule that denies a packet includes the log qualifier (see Section 4.3.1) then a log message is generated. For more information about advanced unicast RPF features, consult [11] and [15].

4.4.6. References
[1] Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999. An excellent introduction to basic Cisco IOS tasks. Portions of this book that are particularly relevant to Routing Protocols are Chapters 2 and 7.

Version 1.0j

UNCLASSIFIED

103

Router Security Configuration Guide

UNCLASSIFIED

[2] Parkhurst, W.R., Cisco Router OSPF - Design and Implementation Guide, McGraw-Hill, 1998. Comprehensive and practical guide to OSPF use. Includes discussion of design issues, security, implementation, and deployment. [3] Black, U. IP Routing Protocols, Prentice Hall, 2000. A very good survey of routing protocols and the technologies behind them. [4] Moy, J.T. OSPF Anatomy of an Internet Routing Protocol, Addison-Wesley, 1998. Detailed analysis of OSPF and MOSPF, with lots of practical advice, too. Includes a good section on troubleshooting. [5] Thomas, T.M. OSPF Network Design Solutions, Cisco Press, 1998. This book offers a good overview of IP routing and related topics, and also explains how to configure Cisco routers for OSPF in a variety of situations. [6] Stevens, W.R., TCP/IP Illustrated, Volume 1, Addison-Wesley, 1994. The most comprehensive and readable guide to the TCP/IP protocol suite; great technical background for any network analyst. [7] Chappell, Laura, Editor, Advanced Cisco Router Configuration, Cisco Press, 1999. A great reference book for a variety of Cisco configuration topics, including routing and routing protocols. [8] Rudenko, I., Cisco Routers for IP Routing: Little Black Book, Coriolis Group, 1999. A very practical and pragmatic guide to setting up routing protocols. [9] Cisco Systems, RIP and OSPF Redistribution, Cisco Internetworking Case Studies, Cisco Systems, 2000. available under
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/

[10] Unicast Reverse Path Forwarding, Cisco IOS 11.1(CC) Release Notes, Cisco Systems, 2000. available at: http://www.cisco.com/univercd/cc/td/doc/product/
software/ios111/cc111/uni_rpf.htm

Initial documentation on unicast reverse-path forwarding verification, includes a good explanation of the concepts.

104

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

[11] Unicast Reverse Path Forwarding Enhancements, Cisco IOS 12.1(2)T Release Notes, Cisco Systems, 2000. available at: http://www.cisco.com/univercd/cc/td/doc/product/
software/ios121/121newft/121t/121t2/rpf_plus.htm

Documentation for new Unicast RPF features that are being integrated into IOS 12.1 releases. [12] Plummer, D., An Ethernet Address Resolution Protocol of Converting Network Protocol Addresses to 48-bit Ethernet Address for Transmission on Ethernet Hardware, RFC 826, 1982. [13] Smoot, C-M. and Quarterman, J., Using ARP to Implement Transparent Subnet Gateways, RFC 1027, 1987. [14] Rybaczyk, P., Cisco Router Troubleshooting Handbook, M&T Books, 2000. This pragmatic volume offers good advice for diagnosing and correcting problems with routing and routing protocols. [15] Cisco ISP Essentials, version 2.9, Cisco Systems, June 2001. available under: http://www.cisco.com/public/cons/isp/documents This detailed Cisco guide for Internet Service Providers includes extensive discussion of routing protocols (especially BGP), and an in-depth treatment of Unicast RPF, all with fully worked-out examples. Other documents about Unicast RPF are available at the URL given above.

Version 1.0j

UNCLASSIFIED

105

Router Security Configuration Guide

UNCLASSIFIED

4.5. Audit and Management

4.5.1. Concepts and Mechanisms
Routers are a critical part of network operations and network security. Careful management and diligent audit of router operations can reduce network downtime, improve security, and aid in the analysis of suspected security breaches. Cisco routers and Cisco IOS are designed to support centralized audit and management. This section describes the logging, management, monitoring, and update facilities offered in Cisco IOS 11.3 and 12.0. ! Logging Cisco routers support both on-board and remote logs. ! Time Accurate time is important for good audit and management; Cisco routers fully support the standard time synchronization protocol, NTP. ! Network Management The standard protocol for distributed management of network component is the Simple Network Management Protocol (SNMP). SNMP must be disabled or carefully configured for good security. ! Network Monitoring Cisco routers support basic facilities for Remote Network Monitoring (RMON). The RMON features depend on SNMP, and must also be disable or carefully configured. ! Software Maintenance Keeping up with new major software releases is important, because new releases include fixes for security vulnerabilities. Installing new Cisco IOS software in a router is not especially difficult. ! Debugging and Diagnostics Troubleshooting router problems requires proficiency with Ciscos diagnostic commands and debugging features. The sub-sections below describe recommended configurations for good security. Complete details on the commands and features discussed may be found in the Cisco IOS documentation, especially the Cisco IOS Configuration Fundamentals Command Reference documents for IOS 11.3 and 12.0.

4.5.2. Configuring Logging and Time Services

Logging is a critical part of router security; good logs can help you find configuration errors, understand past intrusions, troubleshoot service disruptions, and react to probes and scans of your network. Cisco routers have the ability to log a great deal of their status; this section explains the different logging facilities, describes the logging configuration commands, and presents some configuration examples.

106

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Keeping the correct time on a router is also important for accurate logs. Cisco routers fully support the standard Network Time Protocol (NTP), which is used on the Internet and on all major DoD networks to distribute accurate time. Configuration guidance for NTP appears at the end of this sub-section.

Overview and Motivations for Logging

Cisco routers can log system errors, changes in network and interface status, login failures, access list matches, and many more kinds of events. Some motivations for keeping router logs are listed below. ! Recording router configuration changes and reboots ! Recording receipt of traffic that violates access lists (see Section 4.3) ! Recording changes in interface and network status ! Recording router cryptographic security violations (see Section 5.2) There are some events that can be important to security but which Cisco routers cannot log. Four such events are: changing EXEC privilege level, changing a password, changing the configuration via SNMP, and saving a new configuration to the NVRAM. Log messages can be directed in five different ways, as discussed below. Messages can be sent to all five, or any combination. The most valuable forms of logging are forms that are persistent, that can be preserved over time. 1. Console logging Log messages are sent to the console line (see Section 4.1.2). This form of logging is not persistent, messages printed to the console are not stored by the router. Console logging is handy for operators when they use the console, but are otherwise of little value unless some other device or piece of software preserves the output. 2. Terminal Line logging Any enabled exec session, on any line, can be configured to receive log messages. This form of logging is not persistent. Turning on line logging is useful only for the operator using that line. 3. Buffered logging Cisco routers can store log messages in a memory buffer. The buffered data is available only from a router exec or enabled exec session, and it is cleared when the router boots. This form of logging is useful, but does not offer enough long-term protection for the logs. 4. Syslog logging Cisco routers can send their log messages to a Unix-style syslog service. A syslog service simply accepts messages, and stores them in files or

Version 1.0j

UNCLASSIFIED

107

Router Security Configuration Guide

UNCLASSIFIED

prints them according to a simple configuration file. This form of logging is the best available for Cisco routers, because it can provide protected long-term storage for logs. 5. SNMP trap logging For some kinds of events, Cisco routers can generate Simple Network Management Protocol (SNMP) trap messages. This facility allows routers to be monitored as part of an overall SNMP-based network management infrastructure. Cisco IOS messages are categorized by severity level. The lower the severity level number, the more critical the message is. The severity levels are described in the table below. Note that, when you are using logging levels in commands in IOS 11.3 and earlier, you must use the level name; in IOS 12.0 you may use the name or the number.
Table 4-2 Cisco Log Message Severity Levels Level 0 1 2 3 4 5 6 7 Level Name
Emergencies Alerts Critical Errors Warnings Notifications Informational Debugging

Description Router becoming unusable Immediate action needed Critical condition Error condition Warning condition Normal but important event Information message Debug message

Example IOS could not load Temperature too high Unable to allocate memory Invalid memory size Crypto operation failed Interface changed state, up or down Packet denied by access list Appears only when debugging is enabled

For example, the message below appears in the log when a user changes the running configuration. It has a severity level of 5, as shown by the numeric field -5- in the message name.

Mar 31 9:00:16 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (14.2.9.6)

Message text Message name and severity level Time that message was generated

Figure 4-6: Format of a Cisco IOS Log Message

108

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

For best security, set up both syslog logging and console logging. In a network where SNMP management is already deployed, enable SNMP trap logging also. (SNMP is discussed in sub-section 4.5.3, below. RMON is a monitoring facility based on SNMP, sub-section 4.5.4 presents RMON configuration issues.) The descriptions below recommend logging configuration settings, for additional information about Cisco logging command and facilities, consult the Troubleshooting Commands section of the Cisco IOS Configuration Fundamentals Command Reference.

Setting up Console and Buffered Logging

To turn on console logging, use the commands shown below. This example sets the logging level for the console to level 5.
Central# config t Enter configuration commands, one per line. End with CNTL/Z Central(config)# ! set console logging to level 5 (notify) Central(config)# logging console notification Central(config)# logging on Central(config)# exit Central#

This example sets the console message level to 5, notifications, which means that important messages will appear on the console, but access list log messages will not. Use the command logging console info to see all informational messages including access list log messages. Use the command logging console debug to see ALL messages on the console. For buffered and other forms of persistent logs, recording the time and date of the logged message is very important. Cisco routers have the ability to timestamp their messages, but it must be turned on explicitly. As a rule of thumb, your log buffer size should be about 16 Kbytes; if your router has more than 16 Mbytes of RAM, then you can set the log size to 32 or 64 Kbytes. The example below shows how to turn on buffered logging, how to enable time stamps, and how to view the buffered log.
Central# config t Enter configuration commands, one per line. End with CNTL/Z Central(config)# ! Set a 16K log buffer at information level Central(config)# logging buffered 16000 information Central(config)# ! turn on time/date stamps in log messages Central(config)# service timestamp log date msec local show-timezo Central(config)# exit Central# Central# show logging Syslog logging: enabled (0 messages dropped,1 flushes,0 overruns) Console logging: level notifications, 328 messages logged Buffer logging: level informational, 1 messages logged Trap logging: level debugging, 332 message lines logged Logging to 14.2.9.6, 302 message lines logged

Version 1.0j

UNCLASSIFIED

109

Router Security Configuration Guide

UNCLASSIFIED

Log Buffer (16000 bytes): Mar 28 11:31:22 EST: %SYS-5-CONFIG_I: Configured from console by vty0 (14.2.9.6)

Setting up Terminal Line Logging

Any terminal or virtual terminal line can act as a log monitor. There are two parts to setting up terminal monitor logging. First, set the severity level for terminal line monitor log messages; this needs to be done only once. Second, while using a particular line, declare it to be a monitor; this needs to be done once per session. The example below shows how to set up terminal line monitoring for informational severity (level 6) on a telnet session virtual terminal line.
Central# show users Line User Host(s) Idle Location *130 vty 0 bob idle 00:00:00 14.2.9.6 Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# ! set monitor logging level to level 6 Central(config)# logging monitor information Central(config)# exit Central# ! make this session receive log messages Central# terminal monitor Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# interface eth 0/1 Central(config-if)# ! shutdown will log a message, level 5 Central(config-if)# shutdown Central(config-if)# Mar 28 15:55:29 EST: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administratively down

Setting up Syslog Logging

Syslog logging is the most useful form of logging offered by Cisco routers. It offers the network administrator the ability to send log messages from all of the routers (and other Cisco equipment) on a network to a central host for examination and storage. All Unix and Linux operating system configurations include syslog servers, and several free and commercial syslog servers are available for Windows NT and Windows 2000.*

The NSA Systems and Network Attack Center offers a suite of Windows NT/2000 tools, called the Value Added Tools (VAT). The VAT includes a solid, robust syslog server for Windows NT and 2000. It is available free to US Government entities; request a copy from [email protected].

110

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Review of Syslog Concepts

A syslog server is a network host that accepts messages and processes them. A syslog client is a host that generates messages. The figure below shows a typical configuration with syslog in use.
Wide-area network

Eth 0/0

14.2.15.250 14.2.9.250 14.2.9.64 14.2.10.64

Central

Eth 0/1
log messages

LAN 1
log messages

Eth 0/0

South

Eth 0/1

14.2.9.6

LAN 2 Syslog Server host Message log storage

Figure 4-7: A Small Syslog Configuration

There are four things that you must set for syslog logging: the destination host or hosts, the log severity level, the syslog facility , and the source interface for the messages. The destination host may be specified with host name, a DNS name, or an IP address. Any number of syslog hosts may be specified, but typically only one or two are needed (see below). The severity level for syslog messages is usually the same as that for buffered log messages. Set the severity level limit for messages sent to syslog using the logging trap command. The syslog facility is simply the name youll use to configure storage of your messages on the syslog server. There are several dozen valid syslog facility names, but the ones used for routers are typically local0 through local7. Syslog servers also support the notion of severity levels, the levels have the same meanings as the Cisco severity levels listed in the table above; for more information consult the syslog.conf(8) manual page or other syslog documentation on the server host. The source interface is the network connection from which the syslog messages will be sent; use the network port on the same network as the syslog server, or the one that is the fewest number of network hops distant from the syslog server.

Version 1.0j

UNCLASSIFIED

111

Router Security Configuration Guide

UNCLASSIFIED

The example below shows how to configure the router Central, shown in the figure above, to load informational severity and above (level 6) messages to the syslog server, using syslog facility local6 and the correct network interface.
Central# Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# logging trap information Central(config)# logging 14.2.9.6 Central(config)# logging facility local6 Central(config)# logging source-interface eth 0/1 Central(config)# exit Central# show logging Syslog logging: enabled (0 messages dropped, 11 flushes, 0 overruns) Console logging: level notifications, 35 messages logged Monitor logging: level debugging, 35 messages logged Buffer logging: level informational, 31 messages logged Logging to 14.2.9.6, 28 message lines logged Log Buffer (16000 bytes): . . Central#

It is important to configure the syslog server to store router messages in their own file. Configuration file syntax for syslog servers is uniform for all Unix and Linux syslog servers; the configuration file is almost always /etc/syslog.conf. The example below shows the syslog configuration line for saving Centrals messages into a file.
# Save router messages to routers.log local6.debug /var/log/routers.log

Additional Issues for Syslog Logging

For a router whose security is critical, such as a border router on the Internet, it is best to configure two syslog servers. At least one of the two syslog servers logs should be backed up to permanent storage (CD-R or tape). In cases where a router is protecting an enclave from an outside network (e.g. a filtering router connected to the Internet), set up access lists to reject syslog traffic from the outside network. Syslog uses UDP port 514. For the example shown in the figure above, an access list entry for the router Central could look something like this:
access-list 120 deny udp any 14.2.0.0 0.0.255.255 eq syslog

For more information on access lists, consult Section 4.3. In a situation where a sizable set of routers and other devices are sending messages to the same syslog server, separate the devices into 2-5 populations with similar duties. Use a separate syslog facility name for each population. For example, local6 for boundary filtering routers, local5 for internal routers, and local4 for internal switches

112

UNCLASSIFIED

Setting the Time Manually

To set the time, follow these three steps: first, check the clock, second, set the timezone if necessary, and last set the time. Examine the clock using the show clock detail command. If the timezone is not correct, then set the time zone using the clock timezone configuration command. If the detail output reports a time source of NTP, then do not set the clock manually, see the descriptions of NTP below. Otherwise, set the time in privileged EXEC mode by using the clock set command, and turn off NTP on each interface using ntp disable.
Central# Central# show clock detail 22:26:21.747 UTC Tue Mar 28 2000 Time source is user configuration Central# config t Enter configuration commands, one per line. CNTL/Z. Central(config)# clock timezone EST -5 Central(config)# interface eth 0/0 Central(config-if)# ntp disable Central(config-if)# end Central# clock set 17:27:30 28 March 2000 Central# show clock 17:27:34.495 EST Tue Mar 28 2000

End with

Review of NTP Concepts

NTP is the standard Internet protocol for time synchronization, and it is used on most large operational networks. Typical NTP deployment is hierarchical, as shown at right: one or more stratum 1 servers get their time from an authoritative source, like an atomic clock. Stratum 2 hosts get their time from stratum 1 servers, and so on. NTP is designed to make time synchronization automatic and efficient. Because having accurate time can be important for security, especially for intrusion and forensic analysis, NTP should be used whenever it is available.

Atomic Clock

Stratum 1

Stratum 2

Stratum 3

Stratum 4

114

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

If an NTP client is configured with several NTP servers, it will select among them automatically based on time accuracy and stratum level. Cisco routers (except the old 1000-series) are capable of acting at any stratum in the NTP hierarchy except stratum 1. As shown in the diagram, NTP clients may also have peer associations; setting up peer associations is beyond the scope of this guide. For more information about NTP configuration, consult the Performing Basic System Management chapter of the Cisco IOS Configuration Fundamentals Configuration Guide. In some cases, a Cisco router may be used as the boundary router between the Internet and an internal, protected network, and the network requires time synchronization from a time server on the Internet. In these cases, the router should be configured as an NTP client to the desired Internet time server(s), and should serve as the NTP server to the hosts on the internal network. This configuration will allow the router to block general NTP traffic at the boundary. If at all possible, NTP authentication should also be used (see below). Commercial stratum 1 radio receivers are available that use a broadcast time source (e.g. the time signal from the US Naval Observatory) to offer NTP service. If your network has one of these, then you can configure all your routers to get their time from it, directly or indirectly.

the scope of this guide; the description below shows how to set up authentication for an Cisco router so that it can use a designated NTP server that uses authentication.
South# config t Enter configuration commands, one per line. End with CNTL/Z. South(config)# ntp authenticate South(config)# ntp authentication-key 1 md5 router South(config)# ntp trusted-key 1 South(config)# ntp server 14.2.9.250 key 1 source ethernet 0/0 South(config)# exit

Configuration Sample
The configuration command listing below shows the configuration commands for a router with console logging, buffered logging, syslog logging, and authenticated network time synchronization. The host receiving the log messages is 14.2.9.6, and the time server is 14.2.9.250. This sample is formatted as it would appear in a configuration text file stored on a host for download to the router South.
! turn on timestamps for log entries service timestamps log datetime msec localtime show-timezone ! setting logging levels and syslog parameters logging console notifications logging monitor debug logging buffered 16000 informational logging facility local6 logging source-interface Ethernet 0/1 logging 14.2.9.6 logging on ! a tiny access list to permit access only for Central access-list 21 permit 14.2.9.250 access-list 21 deny any ! designate Central as our sole NTP server with authentication ntp authentication-key 1 md5 071D2E595A0C0B 7 ntp authenticate ntp trusted-key 1 ntp clock-period 17180154 ntp access-group peer 21 ntp server 14.2.9.250 key 1 source Ethernet0/0

4.5.3. Security for the Simple Network Management Protocol (SNMP) Overview
The Simple Network Management Protocol (SNMP) supports a connection between two entities that communicate with each other: the manager and the managed entity, the agent. In the case of Cisco routers, the router is always the agent. A software application on a PC or workstation normally acts as the manager. A good source for a

Version 1.0j

UNCLASSIFIED

117

Router Security Configuration Guide

UNCLASSIFIED

freeware implementation of an SNMP agent may be obtained from the NET-SNMP home page (http://net-snmp.sourceforge.net/ - NET-SNMP is the successor to ucd-snmp, the SNMPv3 agent used in the creation of this section). An SNMP agent device maintains information and makes it accessible to managers; the information on each device is organized in a virtual store called a Management Information Base (MIB). SNMP is the transport protocol used to share and change information between MIBs. A MIB is a hierarchical, tree-like structure used to store a virtual database of network management information. Each piece of data, or object, in a MIB is referenced by an object identifier (OID). An OID is a unique, dotted, numerical name, where the dots separate branches in a MIB tree. When requesting the value of an object, one may use the OID or the actual name of each branch (separated by dots). If the referenced value is not a bottom leaf of the tree, values for the entire branch are returned. An in depth discussion of SNMP data organization is outside the scope of this guide; for more information consult [6]. SNMP may be used to query the status of or set the values of network components. SNMP may also be used by an entity on the network to send alerts indicating problems. There are currently three versions of SNMP: SNMPv1, SNMPv2c and SNMPv3. IOS version 11.3 supports SNMPv1 and SNMPv2c. IOS version 12.0 supports all three versions of SNMP. This section will give a brief overview of SNMP security and will detail how to enable SNMP more securely. Cisco IOS supports a large number of SNMP-related commands, those that do not have a direct impact on security are not covered.

SNMP Security
When SNMPv1 was developed, it was originally intended to be a short-term solution for (remotely) managing networks. As such, it was developed quickly and strong security was not a requirement. However, since it was the only network management protocol available at the time, it became widely used. Proposals were put forth to integrate security (as well as more functionality) into later versions of the protocol. Unfortunately, conflict arose between competing proposal advocates and no security standard was agreed upon. Consequently strong security was left out of SNMPv2c. In the late 1990s, SNMPv3 was developed. It was designed specifically with strong security in mind. SNMPv1 and SNMPv2c have weak security. SNMPv1 uses a community string to limit access to the MIB. This string is sent across the network in clear text. SNMPv2 relies on the same mechanism for access control to the MIB. SNMPv3 defines three levels of security. They are described in the table below.

118

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Table 4-5: SNMPv3 Security Security Level Authentication Username sent in the clear HMAC-MD5 or HMAC-SHA HMAC-MD5 or HMAC-SHA Encryption None None DES (56-bit)

SNMPv3

noAuthNoPriv authNoPriv authPriv

The Cisco documentation indicates that IOS 12.0 supports all three security levels. However, DES 56-bit encryption was not supported in the versions of IOS used for preparation of this section (12.0(7) and 12.0(5)).

Configuring SNMP - Getting Started

In both IOS versions 11 and 12, there are some basic commands you must run to enable SNMP. By default, SNMP is not turned on in the router. In order to enable SNMP a default community string must be set. This string is stored on the router in clear text and will be sent across the network in the clear. So, anybody who knows this community string has access to essentially the entire MIB. SNMP logging must also be enabled (see section 4.5.1). It is a good idea to run the show snmp command to display the SNMP status and statistics, as shown below.
East# config t Enter configuration commands, one per line. End with CNTL/Z East(config)# snmp-server community publicstring East(config)# snmp-server host 14.2.6.6 traps public East(config)# exit East# show snmp Chassis: east Contact: John Doe Location: Headquarters 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 SNMP packets output 0 Too big errors (Maximum packet size 2048) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs

Version 1.0j

UNCLASSIFIED

119

Router Security Configuration Guide

UNCLASSIFIED

SNMP logging: enabled Logging to 14.2.6.6.162, 0/10, 0 sent, 0 dropped. East#

Running these basic commands by themselves is not very secure. Unfortunately, on Cisco IOS version 11.3 (which implements SNMPv1 and SNMPv2c), there is no other alternative when enabling SNMP. While there is some mention of enhanced security options (to support SNMPv2c) mentioned in Cisco documentation, these commands have been disabled. However, in version 12.07, SNMPv3 has been implemented and provides more security features. The rest of this section focuses on SNMPv3.

SNMPv3
A Cisco router capable of running SNMPv3 allows for more security measures to be applied. It is a good idea to disable the public community string. Then an access-list (see Section 4.3) needs to be created to limit machine access to the router (through SNMP). More than one machine may be added on the access-list. Following is an example that does this.
East# config t Enter configuration commands, one per line. End with CNTL/Z East(config)# no snmp-server community publicstring East(config)# access-list 20 permit 14.2.6.6 East(config)# exit

After these commands, SNMP is still enabled but no one has access to the MIB because the community string, which solely defined access to the MIB, is disabled. A better method to allow access to the MIB is to use strict controls. Limited access may be given to the MIB by defining groups, users and MIB views. A MIB view defines a portion of the MIB that a user or group may see/modify provided they have the appropriate credentials. First, a group must be defined by specifying a group name, the version of SNMP and the security model desired. A specific SNMP MIB view, as well as the access to that view may also be defined. If this MIB view is not specified the default is to have access to basically the whole MIB. The second step is to add users to the group. Then a MIB view should be defined to either include specific MIB branches or exclude specific MIB branches. The following example defines a non-privileged user, jdoe, who is a member of the publicUser group. This group has read access to the sysonly view, which is the system branch of the MIB. This branch contains useful information and is beneficial for users to have access to. No community string is required; instead authentication is based on the user name. This is an example of a noAuthNoPriv security model. The following example also introduces two new commands used to verify that the new groups and users have been added correctly.
East# config t Enter configuration commands, one per line. End with CNTL/Z

120

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

East(config)# snmp-server group publicUser v3 noauth read sysonly East(config)# snmp-server user jdoe publicUser v3 East(config)# snmp-server view sysonly system included East(config)# exit East# East# show snmp group groupname: publicUser security model:v3 noauth readview :sysonly writeview: <no writeview specified> notifyview: <no notifyview specified> row status: active East# East# show snmp user User name: sysuser Engine ID: 00000009020000500F033680 storage-type: nonvolatile active East# East# show snmp view sysonly system - included nonvolatile active East#

The more secure model implemented is authNoPriv. This security model uses MD5 or SHA to hash the community string. The steps to support this security model are similar to the steps in supporting the noAuthNoPriv model. First, a group must be defined. Then users must be added to the group with a password string. This string may be hashed using MD5 or SHA. Then the MIB view is defined. A MIB view may be defined by more than one included/excluded statement to restrict the view to the appropriate MIB branches. The following example defines a privileged user, root who uses MD5 for authentication. This means that when user root tries to access/modify MIB data, his community string secret will be hashed and then sent across the network. This makes it hard to compromise the community string. User root is a member of the administrator group. In this example, members of the administrator group have restricted read and write access, defined by the view adminview, to the MIB. This view gives access to all parts of the MIB except the branches that display routing information. So, even if the community string is somehow compromised, the routing tables are not accessible remotely. Likewise, the routing tables are not permitted to be modified remotely. Of course, while not shown, it is always a good idea to use the show commands to verify the new settings.
East# config t Enter configuration commands, one per line. End with CNTL/Z East(config)# snmp-server group administrator v3 auth read adminview write adminview East(config)# snmp-server user root administrator v3 auth md5 secret access 20 East(config)# snmp-server view adminview internet included East(config)# snmp-server view adminview ip.ipAddrTable excl East(config)# snmp-server view adminview ip.ipRouteTable excl East(config)# exit

Version 1.0j

The first two commands display information on configured RMON facilities. Use the rmon event command to provide a description of an event and specifies whether a message is logged or a trap is generated. Use the rmon alarm command to designate the actual MIB variable monitored on the Cisco router. RMON alarms provide an excellent tool for monitoring the network interfaces supported by the router. However, there are several limitations on the type of SNMP variables RMON is capable of monitoring. Alarms may define any SNMP MIB variable that has an elementary data type such as integer, counter, gauge, timeticks, etc. The MIB object

Version 1.0j

UNCLASSIFIED

123

Router Security Configuration Guide

UNCLASSIFIED

monitored must also resolve to an ASN.1 notation. It is acceptable to use the Object Identifier (OID) or the qualified variable name that resolves to its OID. An important requirement that is easily overlooked is the instance number of the monitored variable. All monitored objects must include an instance number of the monitored variable. Variables included in the SNMP table format will have an instance number equivalent to the entry number of the table. All other elementary data variables should have an instance number of 0. For example, the following command defines an alarm configured on a member of the MIB II interfaces table, ifTable:
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# rmon alarm 1 ifEntry.13.1 30 delta rising-threshold 40 1 falling-threshold 0 owner rscg Central(config)# exit Central# show rmon alarms Alarm 1 is active, owned by rscg Monitors ifEntry.13.1 every 30 second(s) Taking delta samples, last value was 3 Rising threshold is 40, assigned to event 1 Falling threshold is 0, assigned to event 0 On startup enable rising or falling alarm Alarm 2 is active, owned by config . . Central#

The interface entry, ifEntry.13.1, identifies variable ifInDiscards, the number of inbound packets discarded. Alarm number 1 defines a sampling period of every 30 seconds for the number of discarded packets inbound to the Ethernet interface stored at table entry 1 or instance 1. The agent monitors increases of forty discarded packets or more starting from the last value sampled. A routers RMON agent can be very useful for monitoring the number of checksum, input and output errors, input and output discarded packets, unknown or unsupported protocols, etc. RMON may be very data intensive depending on the number of monitored variables and the length of the sampling period. If the amount of traffic generated by RMON seems to be too high, then change the sampling period to a longer time (e.g. 30 seconds to 60 seconds).

4.5.5.

Performing Cisco IOS Software Updates

This sub-section outlines the motivations and procedures for upgrading the system software on a Cisco router. An upgrade can be beneficial for security, but if done improperly it can leave a router vulnerable. It is important to note that most Cisco updates can only be accomplished by replacing the IOS software running on the router; there is no facility for amending or patching installed IOS software. This section also presents information about backing out of an upgrade.

124

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

To determine the current software release running on a router, use the command show version, and identify the version and memory size as shown in the transcript below.
Central> show version IOS(tm) 3600 Software (C3640-I-M), Version 11.3(4)T1, RELEASE (fc1) Copyright (c) 1986-1998 by cisco Systems, Inc. . . System image file is "flash:c3640-i-mz.113-4.T1", booted via flash cisco 3640 (R4700) processor with 28672K/4096K bytes of memory. . . 8192K bytes of processor board System flash (Read/Write) . . Central>

The underlined portions of the transcript are the software version, router model, RAM size, and flash memory size, respectively. To compute the total RAM on the router, simply add the two parts of the RAM size rating: this router has 32MB of RAM. It is important to know the router model and memory sizes before attempting to obtain a software upgrade.

Motivations for Updating Router Software

Installing an IOS update entails inconvenience and the risk of disruption of service. Weigh the benefits of upgrading against the risks before you start. The list below describes some good reasons for installing an update. 1. To fix known vulnerabilities when security vulnerabilities are found in Cisco IOS products, one solution may be to upgrade to a later edition of the IOS software. 2. To support new features Cisco has added new operational and security features to each new IOS release. If you need one or more of these features to support your network, or to enforce your local security policy, then it makes sense to upgrade. 3. To improve performance you might need an upgrade to support new hardware or hardware features. If the performance benefit is greater than the cost of upgrading, then do the upgrade. Software updates entail substantial costs. First, the router must be out of service for at least a short time during the installation process; depending on router model and other factors, the minimum downtime will range from about a minute to several minutes. Second, some features may not work in a newer release; they might be broken or simply unsupported. It is very important to read the release notes for a new

Version 1.0j

UNCLASSIFIED

UNCLASSIFIED

You must supply the IP address or host name of the TFTP server host. If this step fails, do not proceed, abandon the update and check the server configuration before trying again. 2. Shut down external interfaces. If the router to be upgraded is used to enforce security at an enclave boundary, such as the boundary between your network and the Internet, then disable the outside network interfaces using the shutdown command in interface configuration mode.
Central# config t Central(config)# interface eth 0/0 Central(config-if)# shutdown Central(config-if)# end

3. Back up the current running configuration. Copy your current running configuration to your TFTP server using the copy command. (Note: make sure you have followed the password handling instructions in Section 4.1 before doing this.)
Central# copy running-config tftp

You must supply the IP address or host name of the TFTP server host. If this step fails, do not proceed, abandon the update and check your TFTP configuration before trying again. 4. Load the new software. Copy the new IOS software from the TFTP or FTP server to the flash memory of the router. On most Cisco routers, the flash will be erased automatically during this step; if asked whether to erase the flash, answer yes. Use the copy command as follows.
Central# copy tftp flash

On some Cisco routers, it is possible to store several IOS releases in flash memory and select which one to run. (Because very few Cisco routers have sufficient flash memory to hold multiple IOS releases, that scenario is not covered here.) If this copy succeeds, your router may automatically reboot; if it does not, then reboot it manually using the command reload. If you are performing the update over a network connection, your connection will be broken at this point.
Central# reload Proceed with reload? [confirm] y

5. Confirm the new IOS version and boot image. Watch the boot messages on the router console to confirm the new IOS software version and boot image. If you performed steps 1 through 4 over a network connection, re-establish the connection at this point and check the IOS version and boot image with show version. Then, enable privileges and confirm the configuration status with show running-config. Check the status of the interfaces, and check that the access lists and static routes are still present.
Central# show version

128

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Cisco Internetwork Operating System Software IOS(tm) 1600 Software (C1600-SY56I-M), Version 12.0(9), RELEASE SOFTWARE . . Central# show ip interface . . Central# show running-config . .

6. Bring up external interfaces, if necessary. If you shut down your routers external interfaces in step 2, they should have come back up as part of the reload in step 4. If the second command in step 5 showed that they did not come back up, then bring them back up now using the command no shutdown.
Central# config t Central(config)# interface eth 0/0 Central(config)# no shutdown Central(config)# end

Depending on network speed and router model, this procedure may take about 5-20 minutes. Note that, for some older Cisco router models, additional hardware-specific steps may be needed. Consult the release notes for the particular router for details.

Transcript of a Successful Update Procedure

The recorded transcript below shows an upgrade of a Cisco 3640 router from IOS 11.3(4) to 12.0(5).
South> show version Cisco Internetwork Operating System Software IOS(tm) 3600 Software (C3640-I-M), Version 11.3(4)T1, RELEASE SOFTWARE (fc1) . . South>show flash System flash directory: File Length Name/status 1 3208548 c3640-i-mz.113-4.T1 [3208612 bytes used, 5179996 available, 8388608 total] 8192K bytes of processor board System flash (Read/Write) South> enable Password: South# copy flash: tftp System flash directory: File Length Name/status 1 3208548 c3640-i-mz.113-4.T1 [3208612 bytes used, 5179996 available, 8388608 total] Address or name of remote host [14.2.9.6]? 14.2.9.6 Source file name? c3640-i-mz.113-4.T1 Destination file name [c3640-i-mz.113-4.T1]? c3640-i-mz-113-4.T1.bak

Version 1.0j

UNCLASSIFIED

129

Router Security Configuration Guide

UNCLASSIFIED

Verifying checksum for 'c3640-i-mz.113-4.T1' (file # 1)... OK Copy 'c3640-i-mz.113-4.T1' from Flash to server as 'c3640-i-mz-113-4.T1.bak'? [yes/no]yes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!! Upload to server done Flash device copy took 00:00:19 [hh:mm:ss] South# config t Enter configuration commands, one per line. End with CNTL/Z. South(config)# interface ethernet0/1 South(config-if)# shutdown South(config-if)# exit South(config)# exit South# %SYS-5-CONFIG_I: Configured from console by console South# copy running-config tftp Remote host []? 14.2.9.6 Name of configuration file to write [south-confg]? south-config.bak Write file south-config.bak on host 14.2.9.6? [confirm] Building configuration... Writing south-config.bak !! [OK] South# copy tftp flash System flash directory: File Length Name/status 1 3208548 c3640-i-mz.113-4.T1 [3208612 bytes used, 5179996 available, 8388608 total] Address or name of remote host [255.255.255.255]? 14.2.9.6 Source file name? c3640-ik2o3s-mz_120-5_T1.bin Destination file name [c3640-ik2o3s-mz_120-5_T1.bin]? c3640-ik2o3s-mz_1205_T1.bin Accessing file 'c3640-ik2o3s-mz_120-5_T1.bin' on 14.2.9.6... Loading c3640-ik2o3s-mz_120-5_T1.bin from 14.2.9.6 (via Ethernet0/0): ! [OK] Erase flash device before writing? [confirm] Flash contains files. Are you sure you want to erase? [confirm] Copy 'c3640-ik2o3s-mz_120-5_T1.bin' from server as 'c3640-ik2o3s-mz_120-5_T1.bin' into Flash WITH erase? [yes/no]yes Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased Loading c3640-ik2o3s-mz_120-5_T1.bin from 14.2.9.6 (via Ethernet0/0): !!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! [OK - 7656076/8388608 bytes] Verifying checksum... OK (0xDC3B) Flash device copy took 00:00:50 [hh:mm:ss] South# reload System configuration has been modified. Save? [yes/no]: no Proceed with reload? [confirm] %SYS-5-RELOAD: Reload requested

130

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

System Bootstrap, Version 11.1(19)AA, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Copyright (c) 1998 by cisco Systems, Inc. C3600 processor with 32768 Kbytes of main memory Main memory is configured to 64 bit mode with parity disabled program load complete, entry point: 0x80008000, size: 0x74d170 Self decompressing the image : ############################################# [OK] . . South> South> show ip interface brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 14.2.9.64 YES NVRAM up up Ethernet0/1 14.2.10.250 YES NVRAM up up Ethernet0/2 unassigned YES NVRAM administratively down down Ethernet0/3 unassigned YES NVRAM administratively down down South> enable Password: South# show running-config Building configuration... Current configuration: ! version 12.0 service timestamps debug uptime . . ! end South# exit

Backing Out an Update

If functional testing reveals a problem with your router after an upgrade, you may need to return to your old IOS version. Simply follow the procedure described above, starting with step 2. In step 3, use a different name than you used during the upgrade procedure. In step 4, load the backup copy of the old IOS software. Note that, if you have upgraded from one IOS major version to another (e.g. from 11.2 to 12.0), your stored configuration might not work correctly when you fall back to the older version. In that case, restore the backup copy of the configuration that you saved during the upgrade procedure step 1.
Central# . . Central# . . Central# Central# . . copy tftp flash

UNCLASSIFIED

2. Viewing the current route table To view the current route table, use the command show ip route. Depending on the size of the network and the kinds of routing protocols used, this list may be very large. A very important part of reviewing the route table is checking the route codes and checking the destination gateway. Each route code identifies how one route joined the table; the destination gateway is simply the next hop on that route. Check the route codes to make sure that all the routes joined the table either directly (code C), or were added as static routes (code S), or were added by a configured routing protocol (codes R, O, and others, see Section 4.4). The figure below shows how to interpret the output of show ip route.
Gateway of last resort is 14.1.1.250 to network 0.0.0.0 O IA O IA O C O E2 C R O*E2 7.0.0.0/8 [110/12] via 14.1.1.250, 2d18h, Ethernet0/0 7.0.0.0/8 [110/14] via 14.1.1.250, 2d18h, Ethernet0/0 172.18.0.0/16 [110/11] via 14.1.1.250, 1d13h, Ethernet0/0 14.1.0.0/16 is directly connected, Ethernet0/0 14.2.6.0 [110/10] via 14.1.1.20, 1d01h, Ethernet0/0 14.2.9.0 is directly connected, Ethernet0/1 14.2.10.0 [120/1] via 14.2.9.64, 00:01:05, Ethernet0/1 0.0.0.0/0 [110/3] via 14.1.1.250, 2d19h, Ethernet 0/0

Route codes

Destination gateways

Figure 4-8: Interpreting Route Table Output

3. Viewing the routing protocols in use The command show ip protocol gives a verbose listing of the route update mechanisms currently used on the router. The output is different for each kind of protocol. The command show ip protocol summary gives a quick overview. All of the individual routing protocols also have extensive status commands, see Section 4.4 for some recommendations. The example below shows the IP routing protocol summary and (abbreviated) output for a useful OSPF status command.
Central# show ip protocol summary Index Process Name 0 connected 1 static 2 ospf 1 3 rip Central# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 14.2.1.20 1 FULL/DR 00:00:33 14.2.1.20 Eth0/0 14.2.1.250 1 FULL/DR 00:00:38 14.2.1.250 Eth0/0 Central#

134

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

4. Viewing the current ARP table Extraneous devices, mis-connected devices, and unauthorized devices on a network segment can often be detected by their presence in a routers address resolution (ARP) table. To display the ARP table, use the command show arp, as in the example below.
Central# show arp Protocol Address Age(min) Internet 14.2.9.6 57 Internet 14.2.1.20 10 Internet 14.2.9.64 43 Internet 14.1.1.250 53 . . Central# Hardware Addr 0004.acd5.f3f6 0010.7bf9.127a 0050.0f03.3680 0010.7bb6.baa0 Type Interface ARPA Eth0/1 ARPA Eth0/0 ARPA Eth0/1 ARPA Eth0/0

5. Viewing the logged in users The command show users displays a list of users that are currently logged in. In the example output below, there is one user logged in at the console, and two are logged in over the network.
Central# Line 0 con 130 vty *131 vty Central# show users User Host(s) Idle Location 0 jsmith idle 00:00:56 0 andrew idle 00:01:02 14.2.1.20 1 neal idle 00:00:00 14.2.9.6

6. Viewing host name and name lookup information Cisco IOS uses two mechanisms for mapping between IP addresses and names: locally defined names, and DNS. Locally defined names take precedence over DNS names. Use the command show host to display the DNS configuration and the list of locally defined names.
Central# show host Default domain is not set Name/address lookup uses domain service Name servers are 14.1.1.2, 14.2.9.1 Host Flags east (perm, OK) central (perm, OK) south (perm, OK) Central# Age 4 ** 52 Type IP IP IP Address(es) 14.1.1.20 14.1.15.250 14.2.9.64

7. Viewing interface status and configuration Use the command show ip interface to view a verbose display of the status and configuration of a routers network interfaces. For a quick look, use the command show ip interface brief. In all cases, the listing will include both active and inactive interfaces. The example below shows the brief output format, slightly abbreviated.

Version 1.0j

UNCLASSIFIED

135

Router Security Configuration Guide

UNCLASSIFIED

Central# show ip interf brief Interface IP-Address OK? Ethernet0/0 14.1.15.250 YES Ethernet0/1 14.2.9.250 YES Ethernet0/2 unassigned YES Ethernet0/3 unassigned YES Central#

Method NVRAM NVRAM unset unset

Status up up down down

Protocol up up down down

8. Viewing line status Every Cisco router has at least one physical line connection, the console, and typically five virtual line connections, the telnet vty lines. Use the command show line to display a summary of lines available on a router (see Section 4.1.4). To display the full status of a line, use show line name number, for instance, show line aux 0. 9. Viewing currently open UDP sockets Use the command show ip socket to list the currently open UDP network service sockets on the router. The output is a little cryptic, but can provide valuable clues to the services that the router is actually providing. The example below shows the output for a router running fairly few services.
Central# show ip sockets Proto Remote Port Local Port 17 0.0.0.0 520 14.1.15.250 520 17 14.2.9.1 36269 14.1.15.250 161 17 0.0.0.0 123 14.1.15.250 123 17 14.2.9.6 514 14.1.15.250 6082 Central# In Out Stat TTY 0 0 1 0 0 0 1 0 0 0 1 0 0 0 10 132

The first line is the RIP route protocol service (local port 520). The second line is the SNMP service to a host running an SNMP/RMON management tool (local port 161). The third line is the network time service (NTP, port 123). The fourth line is the logging client, sending syslog messages to a Unix host (remote port 514). 10. Viewing the current configuration To view the current running IOS configuration, use the command show running. The resulting output will typically be fairly long. To review a configuration in depth, save the command results to a file, print it, and review the hardcopy. To view the saved startup configuration (in NVRAM) use show startup. Normally, these two configurations should be very similar. If the configurations are very large and complex, use a file comparison tool, such as Unix diff or Windows fc, to highlight the differences. Archive a copy of the configuration after any major change, or on a monthly basis. This can help with problems, and also shorten downtime if the router loses its stored configuration. The example below shows how to save an archive copy of a configuration to an FTP server, using IOS 12.0.

136

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# ip ftp password 0 r0ut3rQQ Central(config)# ip ftp user rscg Central(config)# exit Central# copy running-config ftp Address or name of remote host []? 14.2.9.1 Destination filename [central-confg]? central-config.txt Writing central-config.txt !! 5699 bytes copied in 12.716 secs (474 bytes/sec) Central#

In IOS 11.3 and earlier, FTP is not supported, but TFTP can be used for making archive copies in a very similar manner (see Section 4.5.5). Because TFTP is insecure, it should be used with care and disabled when not in use. Another way to get an archive copy of the running configuration is to use text logging features of Telnet and terminal emulation applications. 11. Viewing currently running processes Many IOS services and facilities run as separate IOS processes. Use the command show process to list the running processes. The output is usually quite long. Check for unwanted processes and services.

Router Throughput and Traffic Commands

The commands listed below display various traffic statistics that can be useful in diagnosing router traffic flow. There are hundreds of traffic and processing status commands in Cisco IOS, see [7] for more information about some of them. Understanding normal network and link traffic loads can be critical for identifying anomalous conditions that are indications of attacks, misconfiguration, or component failure. Most of these commands produce voluminous but clearly formatted output. 1. Viewing the network traffic on a per-interface basis To view the total traffic for each interface, use the command show interface. This will display a comprehensive report on the traffic through all the interfaces. To view the traffic for a single interface, simply supply that interface name to the command. The example below shows the output format for a single Ethernet interface.
Central# show interface eth 0/0 Ethernet0/0 is up, line protocol is up Hardware is AmdP2, address is 0050.7357.cbe0 Internet address is 14.1.15.250/24 . . Last clearing of "show interface" counters 23:20:53 . .

Version 1.0j

UNCLASSIFIED

137

Router Security Configuration Guide

UNCLASSIFIED

991606 packets input, 103806395 bytes, 0 no buffer Received 800624 broadcasts,0 runts,0 giants,0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 480919 packets output, 38371898 bytes, 0 underruns 0 output errors, 78 collisions, 1 interface resets 0 babbles, 0 late collision, 215 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Central#

If traffic volume monitoring is important for a particular interface, then clear the counters on a periodic basis. Clearing the counters sets the traffic volume record back to zero for both input and output. The example below shows how to clear the counters for a single interface.
Central# clear counter Eth 0/0 Clear "show interface" counters on this interface [confirm]y Central#

2. Viewing IP Protocol Statistics To display a long listing of IP and related protocol traffic statistics, use the command show ip traffic. The output is quite long, but can reveal certain classes of attacks. 3. Viewing SNMP Protocol Statistics To display the SNMP messages statistics and configuration, use the very simple command show snmp. If the output shows any SNMP traffic, and the network does not have an SNMP infrastructure deployed, then the router may have been subjected to an SNMP sweep by an attacker. The example below shows the output for a router with a very modest amount of SNMP traffic.
Central# show snmp Chassis: Central Contact: Vanessa & Phyl Location: second floor 73 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 263 Number of requested variables 0 Number of altered variables 10 Get-request PDUs 63 Get-next PDUs 0 Set-request PDUs 73 SNMP packets output 0 Too big errors (Maximum packet size 1500) 2 No such name errors 0 Bad values errors

138

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

0 General errors 73 Response PDUs 0 Trap PDUs SNMP logging: disabled Central#

The only way to clear these statistics is to reset the router.

Router Debug Commands

Cisco IOS offers a very extensive suite of debugging commands. Each debugging command is associated with a particular service, facility, or feature of the router. When debugging is enabled for a particular protocol or feature, all activities of that protocol or feature will generate log messages at level 7. Debug messages, when generated, are sent to all log sources configured to receive them. The number of messages generated by debugging can often be quite large. Therefore, when using the debug messages for interactive troubleshooting, be sure to configure the buffered log and syslog for level 6 (informational). Also, debugging can impose a substantial computational burden, and should be used sparingly on operational routers. The example below shows how to configure debugging and turn on debugging messages for ICMP.
Central# show users Line User *130 vty 0 rscg Host(s) idle Idle Location 00:00:00 14.2.9.6

Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# logging console information Central(config)# logging monitor debug Central(config)# logging buffered information Central(config)# logging trap information Central(config)# exit Central# Mar 3 17:01:58.159 EST: %SYS-5-CONFIG_I: Configured from console by nziring on vty0 (14.2.9.6) Central# term monitor Central# debug ip icmp ICMP packet debugging is on Central# ! At this point, ping central was performed on 14.2.9.6 Mar 3 17:02:13 EST: ICMP: echo reply sent, src 14.2.9.250, dst 14.2.9.6 Central# no debug ip icmp ICMP packet debugging is off Central#

The Cisco documentation set includes a volume with comprehensive information about the debug facilities and their behavior, the Cisco IOS Debug Command Reference.

Version 1.0j

UNCLASSIFIED

139

Router Security Configuration Guide

UNCLASSIFIED

4.5.7. References
[1] Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999. An excellent introduction to basic IOS operations, including examining the configuration and operation of a Cisco router. [2] Cisco IOS 12.0 Configuration Fundamentals, Cisco Press, 1999. The sections on Performing Basic System Management and Monitoring the Router and Network include valuable advice on how to configure basic features and services. The section on File Management provides extensive information on downloading updates. [3] Ballew, S.M., Managing IP Networks with Cisco Routers, OReilly Associates, 1997. A practical introduction to the concepts and practices for using Cisco routers. [4] Coulibaly, M.M. Cisco IOS Releases: The Complete Reference, Cisco Press, 2000. An amazingly detailed book about IOS versions and the IOS release process. Consult this book for information on upgrade paths and compatibility. [5] Zeltserman, D., A Practical Guide to SNMPv3 and Network Management, Prentice Hall, 1999. An in-depth study of SNMPv3 and it use, including good coverage of the SNMP basics and SNMPv3 security features. [6] McGinnis, E. and Perkins, D., Understanding SNMP MIBs, Prentice-Hall, 1996. A detailed exploration of the SNMP management information base, including both standard and vendor-specific structures. [7] Cisco ISP Essentials, version 2.9, Cisco Systems, June 2001. available under: http://www.cisco.com/public/cons/isp/documents This Cisco guide for Internet Service Providers includes a good discussion of IOS upgrades, as well as many examples of router status and diagnostic commands.

140

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

143

Router Security Configuration Guide

UNCLASSIFIED

Routers send their accounting records to the security server for storage. Information in an accounting record includes the users identity, the usage start and stop times, number of packets and bytes, and the command that was executed. AAA accounting can only use the TACACS+ or RADIUS security servers for record logging. As with authentication and authorization, you configure AAA accounting by defining a list of accounting methods. If the list was a named list then it must be applied to the appropriate lines and interfaces. The list will define the list of accounting methods for the indicated accounting type. For an accounting type, if a default list is not defined and a named list is not applied to the line then no accounting will occur for that type on that line. There are several types of accounting which can be turned on: exec, network, connection, command, system. All types are supported by TACACS+, but RADIUS does not support command or system. ! network accounting Provides information for PPP, SLIP, and ARAP protocols. The information includes the number of packets and bytes. ! EXEC accounting Provides information about user EXEC sessions on the network access server. The information includes the username, date, start and stop times, IP address of access server, and telephone number the call originated from for dial in users. ! connection accounting Provides information about all outbound connections made from the network access server. This includes telnet, rlogin, etc. (local-area transport (LAT), TN3270, packet assembler/disassembler (PAD)). ! commands This applies to commands which are entered in an EXEC shell. This option will apply accounting to all commands issued at the specified privilege level. If accounting is turned on for level 15 and user logged in at enable level 15 runs a level 1 exec command no audit event will be generated. Account records are generated based upon the level of the command not the level of the user. Accounting records will include the command, date, time, and the user. Cisco's implementation of RADIUS does not support command accounting. ! system Provides information about system-level events. This would include information like system reboots, accounting being turned on or off, etc. Note that system accounting will only use the default list. Ciscos implementation of RADIUS does not support system accounting. AAA accounting requires that AAA is enabled, security servers are defined, and that a security server is specified for each accounting type which is desired. Each accounting record is comprised of accounting AV pairs and is stored on the access control server. Accounting can also be configured such that a user requested action can not occur until an acknowledgement is received from the security server stating that the accounting record has been saved.

144

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

For more information about AAA accounting, including RADIUS and TACACS+ attributes, see the IOS Security Configuration Guide [1].

Method Lists
Method lists are used to specify one or more security protocols or mechanisms for AAA. Method lists also specify the sequence in which the security mechanisms should be used. These lists can be used to provide backup mechanisms for when the primary security method is unavailable. For AAA the Cisco IOS software will use the first method listed to perform the authentication, authorization, or accounting as appropriate. If the Cisco IOS software is unable to complete the task due to failure to communicate with the security server or mechanism then the Cisco IOS will try the next method in the list. This continues until there is a successful communication with a listed method or the list is exhausted. If the list is exhausted then the mechanism will fail. In the case of authentication and authorization the user will be denied access. In the case of accounting the auditing event will not occur, except for waitstart accounting which will also deny the user access for the service. Note: a negative response from a security server will also deny access in the case of authentication and authorization and the next method in the list will not be attempted. Method lists can be given a specific name or can use the keyword default. When a method list is specified using the default keyword the list will be automatically applied to all the appropriate interfaces and lines. Named access lists can then be defined and then applied to the particular interface or line to override the default behavior. This also means that a named method list will have no effect on a interface or line unless it has been applied to it. Methods requiring only a password should never be placed ahead of methods requiring a username and password, since the user will never be prompted for a username. A special case, seems to exist for the local database in that if a username does not exist the next method will be attempted. (RADIUS, TACACS+, and Kerberos security servers will deny access if the username does not exist and the server is available.) The following example shows a named method list for AAA authentication, and default lists for authorization and accounting for network traffic:
aaa authentication login remoteauthen radius local aaa authorization network default radius local aaa accounting network default start-stop radius

4.6.2. Router Access Control

The previous section introduced authentication, authorization, and accounting mechanisms and how method lists are used to define the security protocol to use for a service. This section will cover details of configuring AAA for controlling access to the router. Section 4.6.3 briefly covers a dial-in user example. Cisco's ACS Version 2.3 was used for testing RADIUS and TACACS+ security servers. Section 4.6.4 describes security server protocols in more detail.

Version 1.0j

UNCLASSIFIED

145

Router Security Configuration Guide

UNCLASSIFIED

In order to use Cisco's AAA mechanisms you must first enable AAA services. the command for doing this is:
aaa new-model

The remainder of this section will deal with configuring the three AAA services by giving concrete examples (see Figure 4-8 on page 151) and describing the rationale behind the configuration.

Authentication
The AAA authentication commands can be grouped into two areas which correspond to how they are applied. First there is directly controlling authentication to the router and then there are commands for providing information about the authentication process. The four authentication commands used for controlling access to a router are: ! aaa authentication login {default | list-name} method-list is used to specify login authentication method lists. ! aaa authentication enable default method-list can be used to control access to enable mode with the authentication mechanism. ! aaa authentication local-override is used to override all authentication method lists to look at the local database first. This command will also require that all authentication requests to the router include a username as well as a password. ! (line): login authentication {default | list-name} is required to apply a named login authentication method list to a line. There is never really a need to use the "default" option but it could be used to be more explicit, and avoid possible default behavior changes in the IOS. Four authentication commands are used for messaging to the user. The commands deal with prompts and informational messages. Using these commands in your environment may be a useful thing to do. There is an important point to remember when setting prompts and messages: Do Not Give Away To Much Information! Like specifying why AAA failed with the aaa authentication fail-message command, it is better to stick to generic responses and allow the administrator to look in the audit records for debugging purposes. Another bad example would be using an informational banner to tell people this is your bastion router or this router protects a special enclave. The authentication commands used for messaging are: ! aaa authentication username-prompt text-string changes the username prompt from "Username" to the defined value of text-string. ! aaa authentication password-prompt text-string changes the password prompt from "Password" to the defined value of text-string.

146

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

UNCLASSIFIED

servers. Periodic generates more accounting records than newinfo since it will also include interim reports on actions in progress. ! (line): accounting {arap | commands level | connection | exec} [default | list-name] can be used to apply different accounting services and levels to different lines. ! show accounting {system | network | exec | commands level} {start-stop | wait-start | stop-only} tacacs+ command can be used to show active connection information. This is not a configuration command but is worth mention. AAA allows for four levels of accounting as set by the aaa accounting command: ! start-stop accounting sends records when the accounting type starts and stops. This is all done in the background and the user process will continue regardless of the outcome of the accounting attempt. ! wait-start accounting sends an accounting record at the start and stop of each specified type. In this case the user process can not continue, and will actually be terminated, if the start accounting record can not be recorded. If the start record is sent and acknowledged the user process can continue and at the end a stop accounting record will also be sent. ! stop-only sends an accounting record at the end user process which is of an accountable type. ! none specifies that no accounting records will be generated for a particular accounting type. Important: if wait-start accounting is specified on an interface or line and no security server is available for receiving the accounting record then the user process using that interface or line will be locked out. So don't use wait-start on the console line! A basic recommendation would be to use wait-start for remote users and start-stop for local users. For command accounting stop-only will provide the necessary coverage and will greatly reduce the number of accounting records. As mentioned earlier Cisco's RADIUS implementation does not support system and command accounting. Therefore, there are two basic scenarios for accounting depending upon which security server is in use. Configuration of TACACS+ accounting:
Central(config)# aaa accounting system default start-stop tacacs+ Central(config)# aaa accounting exec default start-stop tacacs+ Central(config)# aaa accounting exec remoteacc wait-start tacacs+ Central(config)# aaa accounting commands 15 cmdacc stop-only tacacs+ Central(config)# aaa accounting connection default start-stop tacacs+ Central(config)# line vty 0 4 Central(config-line)# accounting exec remoteacc

150

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

Central(config-line)# Central(config)# line Central(config-line)# Central(config-line)#

accounting commands 15 cmdacc aux 0 accounting exec remoteacc accounting commands 15 cmdacc

Configuration of RADIUS accounting:

Central(config)# aaa accounting exec default start-stop radius Central(config)# aaa accounting exec remoteacc wait-start radius Central(config)# aaa accounting connection default start-stop radius Central(config)# line vty 0 4 Central(config-line)# accounting exec remoteacc Central(config)# line aux 0 Central(config-line)# accounting exec remoteacc

Since remote administration is more dangerous than console administration, the configurations above add extra accounting to the remote lines. Part of the extra protection is requiring that before a remote user can get an exec shell an audit record must be recorded into the security server. Note: the aux line configuration is not required if the aux line is disabled as suggested in Section 4.6.2. Also, for information about RADIUS Attributes and TACACS+ AV Pairs for use in accounting, refer to the appendices in the Cisco Security Configuration Guide.

Putting It Together
This section will put together the AAA mechanisms from earlier in this section and will apply them to the configuration of the Central and South Routers. The Central router is between the facility backbone and the specific department in the infrastructure. The South router acts as the first layer of defense to a well protected enclave.

Version 1.0j

UNCLASSIFIED

151

Router Security Configuration Guide

UNCLASSIFIED

Facility Network 14.1.0.0/16

eth 0

eth 1

14.1.1.20

East

14.2.6.250

Authentication Server 14.2.6.18

LAN 1 14.2.6.0/24
eth 0/0

14.1.15.250

Central
eth 0/1

14.2.9.250

UNCLASSIFIED

If a TACACS+ server was used in this example instead of the RADIUS server then system accounting would have also been specified. Command level accounting could have been applied as well but would probably not be needed here. South Router Configuration:
South(config)# enable secret rI^3r6Ed South(config)# username bethadmin password hs0o3TaG South(config)# username johnadmin password an0!h3r( South(config)# banner motd ^T . . ^T South(config)# tacacs-server host 14.2.6.18 South(config)# tacacs-server key Ir3@1yh8n#w9@swD South(config)# aaa new-model South(config)# aaa authentication login default tacacs+ local South(config)# aaa accounting exec default start-stop tacacs+ South(config)# aaa accounting exec remoteacc wait-start tacacs+ South(config)# aaa accounting connection default start-stop tacacs+ South(config)# aaa accounting system default start-stop tacacs+ South(config)# aaa accounting commands 15 default stop-only tacacs+ South(config)# access-list 91 permit 10.2.1.0 0.0.0.255 log South(config)# access-list 91 deny any log South(config)# line con 0 South(config-line)# transport input none South(config-line)# exec-timeout 5 0 South(config-line)# login local South(config-line)# exit South(config)# line vty 0 4 South(config-line)# access-class 91 South(config-line)# exec-timeout 5 0 South(config-line)# login local South(config-line)# transport input telnet South(config-line)# login authentication remotelist South(config-line)# accounting exec remoteacc South(config-line)# exit South(config)# line aux 0 South(config-line)# transport input none South(config-line)# login local South(config-line)# exec-timeout 0 1 South(config-line)# no exec South(config-line)# end

As in the first example start by setting up local access to the router. The enable secret command sets the password on the privileged exec level and the username commands setup all the local accounts. In this case there may be fewer local accounts since this router is the first lines of defense to a secure enclave. Again, when AAA is turned on the default authorization will not lock out the console.

154

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

The Message of the Day should be used to provide the legal document for controlling access to the device and allowing for monitoring. This message should be generic and hopefully the same on all of your routers, firewalls, servers, workstations, etc. Next configure the security server and turn on AAA mechanisms. Since the shared secret to the TACACS+ server is stored in the clear do not use the same shared secret for the router with any other device. Since communications to the security server are protected and the connection does not go outside the corporate boundary it is acceptable to allow communications to the server outside the router. With the aaa authentication login command make sure local is in the list as described earlier. Notice that the default accounting for exec is set to start-stop and that a named list was created for wait-start. This way by applying the named list to external connections and allowing the default list to automatically apply to console you will not be locked out of the router. Use connection accounting to track outbound connections generated by users logged onto the router, these should be minimal. Also, include system and commands 15 accounting since this router is providing protection to a special enclave. As before, create and apply an access-list to the vtys to limit remote access to internal networks only and if possible limit the remote hosts by actual host IP addresses instead of a network address. Issue the login local command on the console and vtys in case AAA services get turned off. This will continue to allow limited remote access based upon the local database and will be ignored while AAA mechanisms are still running. Also limit remote access to telnet only and limit the connection idle time to 5 minutes. The auxiliary port is disabled in this example. If a RADIUS server was used in this example instead of the TACACS+ server then system and command accounting would not be specified.

4.6.3. Dial-In Users

AAA services were designed with remote network access in mind. This includes remote access to routers as well as to network services like PPP. AAA using RADIUS is one of the primary means by which this is accomplished by Internet Service Providers (ISP's). Controlling access for dial-in users is similar to controlling access to the router but there are different protocols that are used. Additionally, although it is not shown, it is highly recommended that when dial-in access to the network or router is in use, that AAA services should be used in conjunction with a one-time password or similar token technology. Some important commands for controlling dial-in users are: ! aaa authentication ppp {default | list-name} <method-list> is used to specify PPP authentication method lists. ! aaa authorization {network | exec | commands level | reverseaccess} {default | list-name} <method-list> turns on AAA authorization for the specified type and designates the order in which

Version 1.0j

UNCLASSIFIED

155

Router Security Configuration Guide

UNCLASSIFIED

authorization methods will be applied. In this case we are particularly interested in turning on network authorization. ! aaa accounting {system | network | exec | connection |
commands level } {default | list-name} {start-stop | waitstart | stop-only | none} method-list turns on AAA's accounting

services for the specified accounting type. For dial-in users network needs to be used. ! aaa processes number command is used to specify the number of background processes to start to handle concurrent authentication and authorization requests. ! (interface): ppp authentication {pap | chap | pap chap | chap
pap} [if-needed] {default | list-name} [call-in] [one-tone]

command is used to enable pap, chap, or both forms of authentication on the selected interface. ! (interface): ppp authorization {default | list-name} command is used to apply a ppp authorization list to the selected interface. ! (interface): ppp accounting [default | list-name] command is used to apply accounting methods to the PPP service on the selected interface. The example below gives one potential application of AAA services for dealing with dial-in services (Note: this example is not complete). Figure 4-9 shows the relevant portion of the network, and the configuration for East is shown after it.

Facility Network 14.1.0.0/16

eth 0

eth 1

East 14.1.1.20/16
net access

14.2.6.250/24

Authentication Server 14.2.6.18/24

eth 0/0

14.1.15.250/16

modem

LAN 1 14.2.6.0/24
User Host 14.2.6.6/24

Central
eth 0/1

14.2.9.250/24

Telephone Network

LAN 2 14.2.9.0/24

modem

Remote Host

Figure 4-10: Router East in the Network

156

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Implementing Security on Cisco Routers

East(config)# enable secret t!tRd-1r East(config)# username fredadmin password d$oyTld1 East(config)# username bethadmin password hs0o3TaG East(config)# banner motd ^T . . ^T East(config)# radius-server host 14.2.6.18 East(config)# radius-server i3dRc8sRv(@oeU4) East(config)# aaa new-model East(config)# aaa authentication login default radius local East(config)# aaa authorization exec default radius East(config)# aaa authorization network default radius East(config)# aaa accounting exec default start-stop radius East(config)# aaa accounting exec remoteacc wait-start radius East(config)# aaa accounting connection default start-stop radius East(config)# aaa accounting network default wait-start radius East(config)# access-list 91 permit 14.2.9.0 0.0.0.255 log East(config)# access-list 91 permit 14.2.6.0 0.0.0.255 log East(config)# access-list 91 deny any log East(config)# line con 0 East(config-line)# transport input none East(config-line)# exec-timeout 5 0 East(config-line)# login local East(config-line)# exit East(config)# line vty 0 4 East(config-line)# access-class 91 East(config-line)# exec-timeout 5 0 East(config-line)# login local East(config-line)# transport input telnet East(config-line)# accounting exec remoteacc East(config-line)# exit East(config)# interface async 1 East(config-if)# encapsulation ppp East(config-if)# ppp authentication chap East(config-if)# end

In this example there are several items left incomplete: 1) the IPSec tunnel to Central has not been configured (see Section 5.2) to carry remote administrator access to the router (which is required to protect the username and password traveling across the facility backbone in the clear), 2) the terminal server lines have not been configured (and will need to have the remoteacc accounting list applied) and, 3) the asynchronous interface configuration needs completed (if the aux port is not used as an asynchronous interface disable it see Section 4.1.4). The following descriptions will only discuss items which are different from the Putting It Together examples in the previous section. AAA authorization for exec and network was added to separate the privileges for network users and router administrators. In addition, accounting was added for recording network events. The asynchronous interface contains the commands necessary for configuring AAA authentication for the ppp protocol. Also the AAA authorization and accounting default commands for network will also apply to the ppp traffic as it traverses the line.

Version 1.0j

UNCLASSIFIED

157

Router Security Configuration Guide

UNCLASSIFIED

If a TACACS+ server was used in this example instead of the RADIUS server then system accounting would have also been specified. Command level accounting could have been applied as well but would probably not be needed here. This section only provides one example for a possible network access server configuration. Dealing with Dial-In Users is far to complex a subject to be dealt with in depth in this document. Please see Cisco's "Dial Solutions Configuration Guide" for more details.

4.6.4. Security Server Protocols

Version 1.0j

UNCLASSIFIED

Advanced Security Services

5. Advanced Security Services

This section describes some Cisco IOS facilities that are not central to the task of securing a router. These facilities offer additional security services that can contribute to the secure operation of entire networks or communities.

5.1. Role of the Router in Inter-Network Security

When considering the task of joining IP security with IP router functionality, the network administrator (NA) or security engineer (SE) can be overwhelmed. The vast amount of available literature and the technical jargon can cause the NA to ignore available security features altogether. To reduce this daunting task to one which is manageable and easily understandable, this section of the guide will focus on the concept of packet protection. Each packet passing through, or created by the router has source addresses and is carrying data which may need some form of protection. By focusing on this fundamental building block of IP networking, we can devote our energy to providing you with some basic cryptographic concepts, and the specific Cisco IOS commands that implement them. These can then be easily incorporated into current router configurations to help meet specific security requirements. Routers used for supplying packet protection are almost always positioned as gateway devices. These devices sit between untrusted networks, such as the Internet, and local trusted networks. In 1996, Cisco released IOS version 11.2, which included the Cisco Encryption Technology (CET). This proprietary solution was a stopgap effort for customers until a standards-based solution was in place. While it provided some level of packet protection for Cisco-to-Cisco communications, it did not allow Cisco products to interoperate with other IP security products. Since the adoption of the IETF IP Security (IPSec) standards, both Cisco (in IOS 11.3 and above) and other IP product manufacturers have implemented and offered IPSec solutions for packet protection to their customers. This standards-based approach allows for interoperability between Cisco routers and other IP security products, e.g. non-Cisco routers, firewalls, servers, etc. Thus, IPSec tunnels can be constructed between two routers interfaces using the IPSec protocol framework. This framework has been scrutinized by many skilled evaluators in industry and academia. It works in conjunction with the standards-based Internet Key Exchange (IKE) protocol to provide the users a very solid IP security foundation.

Version 1.0j

UNCLASSIFIED

163

Router Security Configuration Guide

UNCLASSIFIED

5.2. IP Network Security

165

Router Security Configuration Guide

UNCLASSIFIED

below with a short description of its purpose (the default setting is given first in all lists of choices): ! priority number a positive integer used to uniquely identify the policy when two or more are contained within the routers configuration file (default: none) ! encryption algorithm for protecting the IKE protocol messages (choices: DES, 3DES in certain IOS versions, e.g. 12.0(3)T). Unless you have a very sound reason to use DES, (e.g. 3DES doesnt provide the needed performance) always use 3DES. The DES algorithm is not acceptable, however, to protect information between two peers over a hostile, unprotected network (e.g. the Internet), so use 3DES for such cases. ! hash algorithm for providing integrity to IKE protocol messages (choices: SHA, MD5) ! authentication method for identifying the routers attempting to establish a tunnel (choices: Rivest-Shamir-Adelman (RSA) signature, RSA encryption, pre-shared keys) ! Diffie-Hellman group used for computing the encryption key (choices: #1 (768 bit modulus), #2 (1024 bit modulus)). We recommend using #2, and eventually #5 (1536 bit modulus) when it becomes available. ! security association lifetime lifetime (in seconds) a tunnel should remain in place before it is automatically rebuilt (default: 86400 (one day)) The administrators for the North and Remote routers should enter the IKE security policy into their routers using the commands shown below.
North# North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# crypto isakmp policy 1 ! The policy number may be an integer between 1 and 65,536, with ! the priority given to lower numbers North(crypto-isakmp)# encryption 3des ! If the users version of the IOS only supports the DES ! algorithm, and community of interest data separation is needed, ! then use the following command to select DES for encryption ! North(crypto-isakmp)# encryption des North(crypto-isakmp)# hash sha North(crypto-isakmp)# authentication pre-share North(crypto-isakmp)# group 2 North(crypto-isakmp)# lifetime 86400 North(crypto-isakmp)# exit North(config)# exit North#

and

166

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

Remote# Remote# config t Enter configuration commands, one per line. End with CNTL/Z. Remote(config)# crypto isakmp policy 1 ! The policy number may be an integer between 1 and 65,536, with ! the priority given to lower numbers Remote(crypto-isakmp)# encryption 3des ! If the users version of the IOS only supports DES, and ! community of interest data separation is needed, then use the ! following command to select DES for encryption ! Remote(crypto-isakmp)# encryption des Remote(crypto-isakmp)# hash sha Remote(crypto-isakmp)# authentication pre-share Remote(crypto-isakmp)# group 2 Remote(crypto-isakmp)# lifetime 86400 Remote(crypto-isakmp)# exit Remote(config)# exit Remote#

Using the show crypto isakmp policy command in privileged EXEC mode (on the console of Remote or North) should now display the following information:
North# show crypto isakmp policy Protection suite of priority 1 encryption algorithm: 3DES Triple Data Encryption Standard (168 bit keys) hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys) hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit North#

Establishing the IPSec Protection Parameters

Using the pre-shared key and the security policy, IKE will determine preliminary information needed to create IPSec tunnels. We now need to give the tunnel its desired characteristics. This parameter set can be built using the following three steps: 1. Creating the appropriate access lists

Version 1.0j

UNCLASSIFIED

167

Router Security Configuration Guide

UNCLASSIFIED

Some administrators will want to create tunnels to protect all protocol data flowing between two routers. Others will desire to protect only a subset of the data flow (e.g. all telnet, ftp, and http traffic). The following example displays an access list needed to protect ALL protocol information between the North and Remote routers. Using the any option (e.g. access-list 161 below) for both the source and destination in the access list will force all packets to be IPSec protected. Choosing the any option for the source and destination also eliminates the need for netmasking in the access list. Access lists can be used to improve the granularity of the IPSec tunnels, see Section 4.3 to learn more about access lists. The syntax for an access list rule, somewhat simplified, is shown below.
access-list access-list-number {deny | permit} protocol source source-wildcard source-options destination destination-wildcard destination-options auditing-options

The network administrator for the North and Remote routers should enter the IPSec access list into their routers using the following commands in privileged EXEC mode:
North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# access-list 161 permit ip any any log North(config)# exit North#

and
Remote# config t Enter configuration commands, one per line. End with CNTL/Z. Remote(config)# access-list 161 permit ip any any log Remote(config)# exit Remote#

2. Configure the appropriate transform set The Cisco transform set identifies the desired protection mechanisms for building the IPSec tunnel. If the tunnel needs data authentication protection, then choosing either the Authenticated Header (AH) or the Encapsulated Security Payload (ESP) IPSec protocols with either hashing algorithms SHA or MD5 will suffice. If the tunnel you are setting up needs data confidentiality protection, then choose the ESP protocol with either the DES or 3DES encryption algorithms (we highly suggest 3DES). A network administrator could argue that data authentication is not really needed for a protective tunnel between gateway routers since this property is normally obtained by an application behind the router which is pushing data through the tunnel, but adding it can improve defense in depth. In the following example, the ESP protocol is chosen with both data protection and authentication properties applied to all information transmitted between the North and Remote routers.

168

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

The transform set also specifies what part of each packet is protected by the IPSec tunnel. For a hostile network scenario, the preferred mode is tunnel (which is the default). This mode protects both the original data portion of the IP packet and the original packet header, and creates a new IP header using the routers IP addresses. This hides potentially sensitive IP protocol information about the networks and applications that are sending data through the tunnel. If the IPSec tunnel is used for separating communities of interest over a protected network, then the transport mode will be sufficient. This mode protects the original data portion of the IP packet, but leaves the original IP header intact. The IPSec standards requires that tunnel mode be used when routers are employed as gateway security devices. For more information on both the encryption and authentication algorithms, and the tunnel modes, consult the Cisco IOS 12.0 Security Configuration Guide [2]. The command syntax for configuring an IPSec transform set is: crypto ipsec
transform-set transform-set-name transform1 transform2 . . . transformN. When you give this command, IOS will enter crypto transform set

configuration mode, to which you can give a variety of transform-set related commands. Use exit to leave transform set configuration mode. Configure the IPSec transform sets using the following commands:
North# North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# crypto ipsec transform-set set1 esp-3des esp-sha-hmac ! The name set1 is an arbitrary name North(cfg-crypto-trans)# mode tunnel North(cfg-crypto-trans)# exit North(config)# exit North#

and
Remote# Remote# config t Enter configuration commands, one per line. End with CNTL/Z. Remote(config)#crypto ipsec transform-set set1 esp-3des esp-sha-hmac ! The name set1 is an arbitrary name Remote(cfg-crypto-trans)# mode tunnel Remote(cfg-crypto-trans)# exit Remote(config)# exit Remote#

3. Create the necessary crypto map Cisco IOS uses crypto maps to bring together all information needed to create IPSec tunnels. This information includes: the access-list to specify what traffic should be protected (covered above in section 1), the transform-set used to build the tunnel (covered above in section 2), the remote address for the peer end of the IPSec tunnel, the security association lifetime for the tunnel (in kilobytes and/or seconds), and whether to use the IKE protocol in setting up the tunnel. Each crypto map is

Version 1.0j

UNCLASSIFIED

169

Router Security Configuration Guide

UNCLASSIFIED

identified by a map-name and a positive integer sequence number (called seq-num below). The map-name used can represent one or more crypto maps, while the sequence numbers are used to set the priority for two or more crypto maps with the same name. If two or more crypto maps with the same name are used, those with lower the sequence numbers have higher priority. The following example shows the construction of a single crypto map for the North and Remote routers, which combine the previously entered configuration information. See Configuring IPSec Network Security in the Cisco IOS 12.0 Security Configuration Guide to learn more about crypto maps. The syntax for the crypto map command is: crypto map map-name seq-num ipsec-isakmp. Configure the IPSec crypto maps using the following commands:
North# North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)# crypto map pipe-1 1 ipsec-isakmp ! The name pipe-1 is an arbitrary name North(config-crypto-map)# match address 161 North(config-crypto-map)# set peer 7.12.1.20 North(config-crypto-map)# set transform-set set1 ! The following are optional, they limit the length of time and ! number of bytes the tunnel is good for data protection before ! automatic rekeying occurs North(config-crypto-map)# set security-assoc lifetime kilo 80000 North(config-crypto-map)# set security-assoc lifetime sec 26400 North(config-crypto-map)# exit North(config)# exit North#

and
Remote# Remote# config t Enter configuration commands, one per line. End with CNTL/Z. Remote(config)# crypto map pipe-1 1 ipsec-isakmp ! The name pipe-1 is an arbitrary name Remote(config-crypto-map)# match address 161 Remote(config-crypto-map)# set peer 14.2.0.20 Remote(config-crypto-map)# set transform-set set1 ! The following are optional, they limit the length of time and ! number of bytes the tunnel is good for data protection before ! automatic rekeying occurs Remote(config-crypto-map)# set security-assoc lifetime kilo 80000 Remote(config-crypto-map)# set security-assoc lifetime sec 26400 Remote(config-crypto-map)# exit Remote(config)# exit

North# no debug all North# debug crypto ipsec Crypto IPSEC debugging is on North# ping 7.12.1.20 North# 4w0d: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 7.12.1.20, src= 14.2.0.20, dest_proxy= 7.12.1.20/255.255.255.255/0/0 (type=1), src_proxy= 14.2.0.20/255.255.255.255/0/0 (type=1), protocol= ESP, transform= 3esp-des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4 4w0d: IPSEC(key_engine): got a queue event... 4w0d: IPSEC(spi_response): getting spi 595658916 for SA from 14.2.0.20 to 7.12.1.20 for prot 3 4w0d: IPSEC(key_engine): got a queue event... 4w0d: IPSEC(initialize_sas): ,

Version 1.0j

UNCLASSIFIED

175

Router Security Configuration Guide

UNCLASSIFIED

(key eng. msg.) dest= 7.12.1.20, src= 14.2.0.20, dest_proxy= 7.12.1.20/255.255.255.255/0/0 (type=1), src_proxy= 14.2.0.20/255.255.255.255/0/0 (type=1), protocol= ESP, transform= 3esp-des esp-sha-hmac , lifedur= 3600s and 4608000kb, spi= 0x238108A4(595658916), conn_id=100, keysize=0,flags=0x4 4w0d: IPSEC(initialize_sas): , (key eng. msg.) dest= 7.12.1.20, src= 14.2.0.20, dest_proxy= 7.12.1.20/255.255.255.255/0/0 (type=1), src_proxy= 14.2.0.20/255.255.255.255/0/0 (type=1), protocol= ESP, transform= 3esp-des esp-sha-hmac , lifedur= 3600s and 4608000kb, spi= 0x385219F(59056543), conn_id=101, keysize=0, flags=0x4 4w0d: IPSEC(create_sa): sa created, (sa) sa_dest= 7.12.1.20, sa_prot= 50, sa_spi= 0x238108A4(595658916), sa_trans= 3esp-des esp-sha-hmac , sa_conn_id= 100 4w0d: IPSEC(create_sa): sa created, (sa) sa_dest= 7.12.1.20, sa_prot= 50, sa_spi= 0x385219F(59056543), sa_trans= 3esp-des esp-sha-hmac , sa_conn_id= 101 North# no debug all

4. Use an IP packet sniffer to observe the contents of each packet in the IPSec tunnel negotiation This information, like that obtained from running the debug commands on the router, is invaluable in diagnosing exactly where the tunnel negotiation is failing, and for recovering from failures.

5.2.2. Using IPSec for Secure Remote Administration

The example used throughout the preceding section was to securely connect two networks from their gateways (which were Cisco routers). This could represent either connecting widely separated networks, or isolating networks within an organization. Another use of IPSec would be to use it to protect the administration of a Cisco router. Common ways to perform administration of a Cisco router is to use either a telnet (which sends the password in the clear) or SNMP. Since both of these run over IP, IPSec can be used to encrypt this communication, eliminating the threat of a network sniffer seeing passwords or sensitive configuration information. In this example, a computer on the desk of the administrator is to be used to administer the North router. Lets say the computer the administrator uses to configure the router has IP address 14.2.9.6, which is next to the servers in Figure 41. The IP address of the North router on the interface closest to the administrator is 14.2.1.250, so well secure a connection to there. First, well set up the configuration on the router, then examine the configuration sequence for a PC running Microsoft Windows 2000.

176

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

Configuring a Cisco Router for IPSec Secure Remote Administration

On the Cisco router, perform the following steps: 1. Enter configuration mode:
North# config t Enter configuration commands, one per line. End with CNTL/Z. North(config)#

2. Enable telnet access to the router for administration from the administrators machine. Well use access list 12 to list the machines that may to telnet to the router.
North(config)# no access-list 12 North(config)# access-list 12 permit 14.2.9.6 North(config)# vty 0 4 North(config-line) access-class 12 in North(config-line) exit North(config)#

3. Create an ISAKMP policy. The policy number selected here is 10, which is just an arbitrary number to set a priority, if two or more ISAKMP policies exist on North. Since the authentication is only between 2 machines, certificates just for this probably arent warranted, and so pre-shared keys can be used. Pre-shared keys are passwords or better yet a passphrase. However, if some form of a public key infrastructure (PKI) is already in place, certificates can be used. The encryption options are DES and 3DES. DES has been demonstrated to be weak, and possibly not even strong enough to protect passwords, so we recommend 3DES. The key exchange size of group 2 is larger than that for group 1, so again we select the stronger option. The default hashing algorithm, SHA, is suitable, so we will take the default and not enter it. The other option is the lifetime until a key renegotiation is required, but again, this does not concern us too much, so we will skip this.
North(config)# crypto North(config-isakmp)# North(config-isakmp)# North(config-isakmp)# North(config-isakmp)# North(config)# isakmp policy 10 authentication pre-share encryption 3des group 2 exit

4. Type in the authentication password. Please do not use anything in the dictionary, or anything easily guessed; include letters, numbers, and punctuation.
North(config)# crypto isakmp key my4pa$$phra$eHere address 14.2.9.6

5. The transform-set contains the parameters for protecting the actual traffic. Again, we want to use 3DES, and SHA. Since we are treating the router as just a host to connect to (i.e. it is not forwarding this particular traffic anywhere else), we can use transport mode instead of tunnel mode. This choice is also made because currently it is easier to configure IPSec in Windows 2000 to use transport mode.

Version 1.0j

UNCLASSIFIED

177

Router Security Configuration Guide

UNCLASSIFIED

North(config)# crypto ipsec transform-set 3des-sha-xport esp-3des esp-sha-hmac North(cfg-crypto-trans)# mode transport North(cfg-crypto-trans)# exit North(config)#

6. The IPSec connections must be allowed. We number the access list as 167.
North(config)# access-list 167 permit ip host 14.2.1.250 host 14.2.9.6 log

7. A crypto map must be created. Any name can be given to this we use ciscoadmin. Priority for this crypto map is set to 10. The match address links the desired access-lists to the crypto map, so we use the one we entered in the previous step, 167.
North(config)# crypto map North(config-crypto-map)# North(config-crypto-map)# North(config-crypto-map)# North(config-crypto-map)# North(config)# cisco-admin 10 ipsec-isakmp set peer 14.2.9.6 set transform-set 3des-sha-xport match address 167 exit

8. Finally, apply these definitions to the interface (the 14.2.1.250 interface is named Ethernet 0/0). When doing so, well ensure that no other crypto maps are still in existence before we define this one. Then we exit from configuration mode, and IPSec should be running on the Cisco router.
North(config)# interface ethernet 0/0 North(config-if)# no crypto map North(config-if)# crypto map cisco-admin North(config-if)# exit North(config)# exit North#

Configuring Windows 2000 for Secure Remote Administration

Once the Cisco router has been set up, the Windows 2000 computer on the desktop of the administrator can be prepared. This section assume moderate familiarity with Windows 2000 network administration. First, run Microsoft Management Console (MMC), either from a command window prompt, or by using the Run command from the Start menu). Add the IPSec snap-in for the local machine. You can add the snap-in by looking under the Console menu and selecting Add/Remove Snap-in. That will give you a window containing the currently added list of snap-ins, initially empty. Click the Add button and you will see all the possible snap-ins. Scroll down until you see one titled IPSec Policy Management and select that one. It will ask which computer it should manage, and select Local Computer, click Finish, Close the list of additional snap-ins, and OK the one snap-in that you have added. The management console window should now look something like the screenshot below.

178

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

Click right on IP Security Policies on Local Machine (either the left or right window will work) and select Create IP Security Policy. A wizard shows up to assist you on this quest. Click Next. It asks for a name and description for this new policy. Any name will do, perhaps something like Admin to Router, and you arent required to fill in a description. Click Next. Click so that the default response rule is not activated, click Next. In this window, ensure that the Edit properties box is selected, and then hit the Finish button. The following window should appear.

Two things must be done in this window. A new rule must be added, for which we will use the Add Wizard, which we will do in a second, but before that, we will configure the key exchange parameters (which were called by the name isakmp in the

Version 1.0j

UNCLASSIFIED

179

Router Security Configuration Guide

UNCLASSIFIED

Cisco configuration). In the tabs at the top of this window, select General. Under that tab at the bottom of the screen is a button for Key Exchange using these settings with the word Advanced written on the button. Click that. The window that appears contains the title Key Exchange Settings.

In this window, do not check the Master key Perfect Forward Secrecy button, and any values for when to rekey are acceptable. To ensure everything is set up the same as on the Cisco, click the Methods button, under Protect identities with these security methods. Now you will see the following new window. Use the sideways scroll bar to see if a security method exists with the same settings as on the router. Those values are IKE negotiation (Cisco calls it ISAKMP, which is actually its older name), 3DES encryption, SHA1 Integrity (the hashing algorithm), and Medium (2) for the Diffie-Hellman size (which is Group 2, which is the 1024 bit Diffie-Hellman option, not the 768 bit one). If such a method does not exist, either modify a currently existing method by highlighting one and hitting the Edit button, or click the Add button to create a new one. In either case, you probably should click on the correct one (which will highlight it), and click the Move up button until it is the first option on the list. The others can either be deleted or just left there.

180

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

Click OK, and then click it again on the next window. You should now be back at the window where you selected the General tab. Now select the Rules tab and lets continue. Click the Add... button, which will use a second wizard. When the introduction screen for the wizard shows up, click Next, which will make the following tunnel endpoint window appear.

Since we selected transport mode when configuring the Cisco router, we do not need this tunnel. Continue on without specifying a tunnel. The next screen is about which network connections to use.

The network type Remote access is useful if you are using phone lines to connect remotely, but in this case, choose either LAN connection, or even better All network connections can be used. Click Next. Now is the time to enter the passphrase. Recall that we previously selected my4pa$$phra$eHere as our choice when we configured the Cisco router.

Version 1.0j

UNCLASSIFIED

181

Router Security Configuration Guide

UNCLASSIFIED

We enter that in the appropriate box, and click Next. The IP Filter List window will appear. Initially, it is probably empty. From there, click Add and the following IP Filter List definition window will appear.

Now we need to add a filter. Name this filter (Cisco Only Filter, or something like that), but before you Add, unselect the Use Add Wizard option. This third wizard is not helpful. If you use the wizard, you get several screens in which you will type in the information you can supply to the one screen you see if you do not use the wizard. So, unselect the Use Add Wizard, click Add and you should see the following screen.

182

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

You want it to have the Source address as My IP Address and the Destination address as A specific IP Address in which you fill in the IP address of the Cisco router, 14.2.1.250. Use a subnet address of 255.255.255.255 which permits secure connections only to the one router and leaves all other communications unaffected. You do need to leave the mirrored option on so filters are defined for traffic going in both directions. Click OK, returning you to the filter list window, which you should Close. Then select that filter (call it Cisco Router Filter) from the list of filters and click Next. The next window that appears is the Filter Action window. There are three default filters defined, Permit, Request Security and Require Security. Before selecting the Require Security option, you will want to examine it in a bit more detail to be sure that it contains the options you need. Double click on Require Security to see what options are set. It should look something like this.

Version 1.0j

UNCLASSIFIED

183

Router Security Configuration Guide

UNCLASSIFIED

Click on the security method preference order options and edit them to ensure that at least one of them contains the cryptographic settings for protecting the actual data that was configured in the Cisco. In fact, if you want to delete all but the one offer that is used, that would not be bad. For our example, we are using ESP with both 3DES and SHA, and are not using the AH protocol. The lifetime (until keys are renegotiated) is not important, so any settings for that are acceptable. We want to select Negotiate security here. Choose Accept unsecured communication, but always respond using IPSec. We do not want to select the final two options, Allow unsecured communications with non IPSec aware computer and Session key Perfect Forward Secrecy. The reason we don't want to allow unsecured communications is that this IPSec configuration only applies to communication with the router, communication to other places is not affected and so not IPSec protected. For just this connection, we want to use security, so we require it. Perfect Forward Secrecy is a way to do a second key exchange, which is mostly used when the initial key exchange is shared. This is not the case here. When all these settings are correct, click OK. Highlight the Require Security button, and click Next. The only remaining thing to do is to click "Finish." The next time you connect to the Cisco router, IPSec will be activated automatically, and the traffic will be IPSec protected. After following all these steps, you have created an IP Security Policy, and that new policy will appear in the management console window. Make sure that the policy is actually in effect, typically you must explicitly assign a policy after creating it. Look at the third column, Assigned, of the policy listing in the management console window. If the column contains the word No, then right-click on it, and select assign from the popup menu. The value in the third column should change to Yes and the policy will be imposed.

184

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

A quick check to ensure that it is working is to ping the router from the Windows 2000 host. The first attempt should fail and report "Negotiating IP Security". Ping a second time, and the router and the Windows 2000 host should have completed their key exchange and the ping should succeed. A network sniffer can be used to verify that communications between the router and host are encrypted. On the router, use the command show crypto ipsec security-association to confirm that IPSec is being used.

Version 1.0j

UNCLASSIFIED

185

Router Security Configuration Guide

Untrusted Network 14.2.9.64 Router 14.2.10.64

Trusted Network 14.2.10.0/24

User Host 14.2.10.6

User Host 14.2.10.7

Figure 5-1: A Simple Router Firewall

CBAC examines not only network layer and transport layer information, but also examines the application-layer protocol information (such as FTP information) to learn about the state of TCP and UDP connections. CBAC maintains connection state information for individual connections. The heart of CBAC is the ability to inspect outgoing IP traffic in real-time, maintain state information, and use the state information to make access decisions. The access decisions are enacted when CBAC dynamically adds rules to interface access lists to pass permitted traffic. The figure below illustrates this. Because CBAC works by modifying access lists, there must be at least one access list in place on the path from the untrusted network to the trusted network, either an inbound list on the outside interface, or an outbound list on the inside interface.
untrusted network
1. Host initiates a web connection to web server 7.1.6.20 (port 80) on the untrusted network. 2. CBAC inspects the initial TCP packet of the connection, and adds a rule to the inbound access list, permitting data from 7.1.6.20 port 80. 3. Response comes back from the web server, passes access list.
inside interface
inspect

outside interface

2. CBAC
adjust

access list 3.

Outbound request

Router

Inbound response

trusted network
Host

Figure 5-2: CBAC Overview

Note that CBAC handles only TCP and UDP protocols. It also includes some special case handling for multi-port application protocols, like H.323 and FTP. Other IP

Version 1.0j

UNCLASSIFIED

187

Router Security Configuration Guide

UNCLASSIFIED

protocols and services, such as ICMP, OSPF, or IPSec, must be separately permitted by the interface access lists if you need them.

Steps in Setting Up a Cisco Router Firewall

To set up a simple firewall using CBAC, follow these steps: 1. Check that the router supports CBAC, if it does not, then install an IOS version that does (see Section 4.5.5). Example: IOS 12.0(9) with Firewall Feature Set 2. Determine the list of services that users or hosts on the trusted network need from the untrusted network. Call this list the desired services list. Example: FTP, Web (HTTP), SMTP, POP3, RealAudio (RTSP) 3. Set up an outbound access list on the outside interface, prohibiting all traffic that should not leave the trusted network but allowing traffic on the desired services list (see Section 4.3). 4. Set up an inbound access list on the outside interface, permitting traffic that the router must process, but prohibiting other TCP and UDP traffic including the desired services list. This is the access list that CBAC will be modifying on the fly. 5. Create a CBAC inspection ruleset supporting the desired services list. 6. Set the CBAC global timeouts. These timeout values determine the duration of window of accessibility opened back through the firewall in response to a request from the trusted network; values that are too long can leave the trusted network vulnerable. 7. Apply the CBAC inspection ruleset to an interface, usually the outside interface. 8. Test the configuration from a host on the trusted network by running services, and test it from the untrusted network by running a network scanner (see Section 6).

Step 1. Testing for CBAC Support on the Router

Examine the router IOS installation to ensure it has the firewall feature set. There is no simple, direct way to check whether a router has CBAC capability. The easiest way to check is to execute a CBAC-related command, if the command fails, then CBAC is not supported. The two examples below show a router without CBAC, Central, and a router with CBAC, South.
Central# show ip inspect all ^ % Invalid input detected at ^ marker.

188

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

Central#

versus
South# show ip inspect all Session audit trail is disabled Session alert is enabled . . South#

Step 2. Determine the Application Services to Support

Decide which application-layer protocols to permit using CBAC. Best practice on a router is deny all protocols except those identified as needed. CBAC in IOS 12.0 supports about a dozen application service types; the most commonly used ones are listed below.
Service Basic TCP Protocols Definition Generic connected TCP protocols, such as HTTP, POP3, Telnet, SSL, etc. Generic UDP services, such as DNS, NTP, TFTP, IKE, SNMP, etc. Control connection on TCP port 21, data on TCP port >1024. Connect TCP protocol on port 25. H.323 video conference protocol over UDP. Real-Time Streaming Protocol over UDP or TCP. Remarks CBAC will support any of these; select ones to support by permitting them through the access list set up in Step 3. CBAC will support any of these; select ones to support by permitting them through the access list set up in Step 3. CBAC has special support for FTP, and watches the FTP authentication exchange. It also prevents use of non-standard ports for FTP data. CBAC permits only standard SMTP commands. Because NetMeeting uses additional non-standard ports, generic UDP must also be configured to use it. CBAC automatically tracks the RealAudio port assignments.

Other UDP

FTP

Mail (SMTP) H.323 (NetMeeting) RealAudio (RTSP)

For web traffic (HTTP), CBAC has some ability to block Java applets. Because the Java blocking capability is very weak, it is not typically employed. For example, a reasonable list of desired services for many installations is: DNS, NTP, HTTP, FTP, and Telnet, plus SMTP and POP3 to the mail server only.

Version 1.0j

UNCLASSIFIED

South(config-ext-nacl)# permit icmp any any unreachable South(config-ext-nacl)# permit icmp any any ttl-exceeded South(config-ext-nacl)# permit udp any any eq rip South(config-ext-nacl)# deny ip any any log South(config-ext-nacl)# exit South(config)# ! apply the access list to the outside interface South(config)# interface eth 0/0 South(config-if)# ip access-group 111 in South(config-if)# exit

South(config)#

Step 5. Create a CBAC Ruleset

To create a CBAC ruleset, use the command ip inspect name. The syntax is shown below.
ip inspect name ruleset-name protocol [alert on/off] [audit-trail on/off] [timeout override-timeout]

The alert option controls whether use of that protocol causes a console alert message to be generated; similarly, the audit-trail option controls whether use of that protocol causes a log message to be generated. Enable the alert and audit-trail features to get additional log messages, beyond those generate by interface access lists. (In older versions of CBAC, audit trails could only be turned on globally, using the command ip inspect audit-trail.) The example ruleset below supports the example desired service list. The name of the ruleset is fw1. Its first rule supports DNS and NTP, and the second rule supports web, Telnet, and POP3 email services.
South(config)# South(config)# South(config)# South(config)# South(config)# ip ip ip ip inspect inspect inspect inspect name name name name fw1 fw1 fw1 fw1 udp audit-trail on tcp audit-trail on ftp audit-trail on smtp audit-trail on

Step 6. Adjust the CBAC Global Parameters

When CBAC detects a connection attempt by a client on the trusted network, it adds a rule to the inbound access list to permit the expected response. This rule gets removed when one of the following conditions are satisfied: ! The response does not arrive within the allotted timeout time. ! The connection is idle for longer than an allotted idle time. ! The connection closes down (TCP only).

Version 1.0j

UNCLASSIFIED

191

Router Security Configuration Guide

UNCLASSIFIED

The default timeout and idle times in Cisco IOS 12.0 are longer than necessary. There are also global CBAC parameters related to half-open TCP session, but these can be left at their default values. The table below describes the parameters to change.
Timeout Name Synwait-time Description Length of time CBAC waits for a new TCP session to reach established state. Length of time that CBAC continues to manage a TCP session after it has been closed down by a FIN exchange. Length of time that CBAC continues to manage a TCP session with no activity. Length of time that CBAC continues to manage a UDP session with no activity. Default 30 seconds Suggested 15 seconds

Finwait-time

5 seconds

1 second

TCP idle-time

1 hour

30 minutes (1800 sec.) 15 seconds

UDP idle-time

30 seconds

Of course, these values might need to be increased for a very slow connection (e.g. a modem) or on a highly congested network. The example below shows how to set the global timeout parameters.
South# config t Enter configuration commands, South(config)# ip inspect tcp South(config)# ip inspect tcp South(config)# ip inspect tcp South(config)# ip inspect udp South(config)# exit South# one per line. End with CNTL/Z. synwait-time 15 finwait-time 1 idle-time 1800 idle-time 15

Step 7. Apply the CBAC Ruleset to the Interface

CBAC is not in force until a ruleset has been applied to at least one interface. Use the interface configuration command ip inspect name to apply a ruleset. The example below applies the ruleset from step 5 to the outside (untrusted network) interface.
South# config t Enter configuration commands, one per line. South(config)# interface eth0/0 South(config-if)# ip inspect fw1 out South(config-if)# end South# show ip inspect interface
South# End with CNTL/Z.

192

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

After this step, CBAC should be running on the router.

Step 8. Test the CBAC Configuration

Perform some simple tests from a host on the trusted network, to see that CBAC is working. The test shown here has two parts: first, starting a telnet session from a host on the trusted network to a host on the untrusted network, and second, confirming that CBAC is managing the session. For more detailed testing information, see Section 6. The example below shows a Telnet session from a host on the trusted network (14.2.10.6) to a host on the untrusted network (14.2.9.250).
$ telnet 14.2.9.250 Trying 14.2.9.250... Connected to 14.2.9.250. Escape character is '^]'. This is the CENTRAL router. Access is limited to authorized administrators only! Username: nziring Password: Central>

While the Telnet session is active, check the CBAC session status on the router using the command show ip inspect sessions. It should show the telnet session, as illustrated in the example below. If the command gives no output, then CBAC is not working.
South# show ip inspect sessions Established Sessions Session 6187B230 (14.2.10.189:3175)=>(14.2.9.250:23) tcp SIS_OPEN South#

If the CBAC configuration seems to be working, save the router configuration to NVRAM at this point with the command copy running startup.

5.3.3. Configuration Sample

The configuration command listing below shows the configuration commands for a firewall router with a simple CBAC configuration. The desired service list for this firewall is: DNS, NTP, HTTP, FTP, Telnet, SMTP (to a single host), and POP3 (to a single host). This sample is formatted as it would appear in a configuration text file stored on a host for download to the router South.
no access-list 110 ip access-list extended 110 permit icmp 14.2.10.0 0.0.0.255 any

Version 1.0j

UNCLASSIFIED

3. Set up a username that is permitted to connect to the router. If you have already created user accounts (with or without AAA), as specified in section 4.6, you may skip this step.
North(config)# username joeadmin password 0 1-g00d-pa$$word North(config)# vty 0 4 North(config-line)# login local North(config-line)# exit North(config)#

To act as an SSH server, the router must possess an RSA key pair. If the router already has a key pair, perhaps generated as part of its IPSec configuration, then you may use it for SSH. Otherwise, generate a new RSA key pair for this router. If you need to remove an old key pair, and you are absolutely sure that the keys are not being used, then you may delete them using the command crypto key zeroize rsa. To generate a new key pair, use the command crypto key generate as shown below. Cisco suggests a minimum modulus size of 1024 bits.
North(config)# crypto key generate rsa The name for the keys will be: North.dod.mil Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 2048 Generating RSA Keys ... [OK] North(config)#

At this point, the SSH server is enabled and running. By default, the SSH service will be present on the router whenever an RSA key pair exists, but it will not be used until you configure it, as detailed below. If you delete the routers RSA key pair, then the SSH server will stop. Note: check carefully before deleting a key pair, because there is no way to recover a private key that has been deleted. Below are some useful commands for further configuring the new SSH server. ! Configure an authentication timeout. This is the number of seconds the server will wait for a client to respond with a password. Once the connection is established, standard vty timeout settings apply. The default authentication timeout is 120 seconds, which is also the maximum allowed value. The recommended value is 90. To change this from the default, do the following.
North(config)# ip ssh timeout 90 North(config)#

196

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

! The number of incorrect login attempts that are permitted before the router will drop a remote access connection is also configurable. The default value is 3 attempts, which is a sound choice; the maximum value is 5. Do not set the value higher than three; the example below shows how to set the router to drop the connection at the second failure.
North(config)# ip ssh authentication-retries 2 North(config)#

The vty can be configured to accept both SSH and telnet connections as shown below. To disable telnet and require SSH, which is recommended, simply leave off the keyword telnet on the transport input command.
North(config)# line vty 0 4 North(config-line)# transport input ssh telnet North(config-line)# exit North(config)#

5.4.2. Advanced SSH Commands

There are a number of commands that will allow you to verify that the SSH server is now operational. However, these commands vary between IOS releases. The two subsections below describe the commands in detail.

IOS Version 12.2

To verify that SSH has been successfully enabled, execute the following command, and verify your output states that SSH is enabled.
North# show ip ssh SSH Enabled version 1.5 Authentication timeout: 90 secs; Authentication retries: 3 North#

To verify that SSH has been successfully enabled and check that your session is actually using SSH, connect to the router using your SSH client and type the command show ssh. If your session is secure then the output should resemble that shown below.
North# show ssh Connection Version 0 1.5 North# Encryption State 3DES Session Started Username joeadmin

IOS Version 12.1

To verify that SSH has been successfully enabled, execute the following command, and verify your output is similar to the following. There may or may not be any current connections, depending on how you are connected to your router.

Version 1.0j

UNCLASSIFIED

197

Router Security Configuration Guide

UNCLASSIFIED

North# show ip ssh Connection Version 0 1.5 North#

Encryption 3DES

State 4

Username joeadmin

Diagnosing and Managing SSH

In the unlikely event that a connection has not properly closed, or that a connection must be forcefully closed, there are two ways to go about this. Obtain the connection number using one of the two methods shown above, then use of the commands below to disconnect the session. This example disconnects session 0, which is in use by user joeadmin.
North# disconnect ssh 0 North#

- or North# clear line vty 0 North#

You can use the IOS command debug ip ssh to diagnose SSH operation. It is very important to disable debug messages when you are finished using them.
North# ! enable debug messages from the SSH service North# debug ip ssh North# ! disable debug messages from the SSH service North# no debug ip ssh

A Sample SSH Session

The sample session below shows how to connect from a Unix host to a Cisco router using the OpenSSH client.
% ssh l joeadmin 14.2.1.250 [email protected] password: Warning: Remote host denied X11 forwarding North> enable Password: North# show ip ssh SSH Enabled version 1.5 Authentication timeout: 120 secs; Authentication retries: 3 North# show ssh Connection Version Encryption State Username 1 1.5 3DES Session started joeadmin North# exit Connection to 14.2.1.250 closed. %

198

UNCLASSIFIED

5.5. References
[1] Chapman, D.B., Cooper, S., and Zwicky, E.D. Building Internet Firewalls, 2nd Edition, OReilly Associates, 2000. A seminal reference for understanding firewalls and the principles for building them. [2] Cisco IOS 12.0 Network Security, Cisco Press, Indianapolis, IN, 1999. Authoritative source for in-depth descriptions of security-related IOS facilities, including IPSec, CBAC, and related configuration commands. [3] Doraswamy, N. and Harkins, D. IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Prentice-Hall, 1999. Contains a good overview of IPSec, plus and technical detail about IKE and VPN design. [4] Kent, S. and Atkinson, R., Security Architecture for the Internet Protocol, RFC 2401, 1998. The master document for IPSec, includes extensive remarks about VPN architecture. [5] Tiller, J. A Technical Guide to IPSec Virtual Private Networks, Auerbach Publications, 2001. This highly technical book provides detailed explanations and pragmatic advice about IPSec. [6] Cisco Secure Integrated Software Configuration Cookbook, Cisco Configuration Cookbook, Cisco Systems, 2001. available at http://www.cisco.com/warp/public/793/ios_fw/ This page offers detailed configuration examples for CBAC. [7] Cisco Secure VPN Client Solutions Guide, Cisco Internetworking Solutions Guides, Cisco Systems, 1999. available at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csvpnc/c svpnsg/

[8] How to Configure IPSec Tunneling in Windows 2000, Q252735, Microsoft Knowledge Base, Microsoft Corporation, 2000. available under http://support.microsoft.com/support/ Contains some good information about setting up IPSec in Windows 2000.

200

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Advanced Security Services

[9]

Overview of Secure IP Communication with IPSec in Windows 2000, Q231585, Microsoft Knowledge Base, Microsoft Corporation, 2000. available under http://support.microsoft.com/support/ A good overview of IPSec features in Windows 2000.

[10] Security Technical Tips IPSec, Cisco Technical Assistance Center, Cisco Systems, 2000. available at http://www.cisco.com/warp/public/707/#ipsec This page offers detailed descriptions of about a dozen sample IPSec configurations, as well as links to other IPSec information on Ciscos web site. [11] Virtual Private Networks, Cisco Technical Assistance Center Top Issues, Cisco Systems, 2000. available at: http://www.cisco.com/warp/public/471/top_issues/
vpn/vpn_index.shtml

A collection of resources and links for Cisco IPSec and VPN information. [12] Secure Shell Version 1 Support, Cisco Systems, 2000. available at: http://www.cisco.com/univercd/cc/td/doc/product/
software/ios121/121newft/121t/sshv1.htm

A short overview of SSH features in IOS 12.1(1)T, with examples. [13] Cisco Security Advisory: Multiple SSH Vulnerabilities, Revision 1.1, Cisco Systems, 2001. available at: http://www.cisco.com/warp/public/707/SSH-multiplepub.html

An overview of SSH vulnerabilities, and the IOS versions to which they apply. [14] Barrett, D.J. and Silverman, R.E. SSH The Secure Shell The Definitive Guide, OReilly Associates, 2001. The book provides very broad and detailed coverage of SSH features, software, and usage.

Version 1.0j

UNCLASSIFIED

201

Router Security Configuration Guide

UNCLASSIFIED

202

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Testing and Security Validation

6. Testing and Security Validation

6.1. Principles for Router Security Testing
The perimeter router is the first line of defense when protecting against malicious attack. Routers provide many services that can have severe security implications if improperly configured. Some of these services are enabled by default whereas other services are frequently enabled by users. Security testing provides a means of verifying that security functions and system operations are configured in a secure manner. Ideally, testing should be performed at initial deployment of a router, and whenever major changes have been made to the any part of the configuration of a router.

6.2. Testing Tools

There are a variety of tools available for testing purposes. Scanners such as Fyodors nmap program are used to scan for open TCP and UDP ports on a router interface. Packet sniffer programs are used to monitor traffic passing through the network and steal unencrypted passwords and SNMP community strings; this information can then be used to formulate specific attacks against the router. Attack scripts are readily available on the Internet for numerous well-known exploits; several denial of service (DOS) attacks and the newer distributed denial of service (DDoS) attacks have been highly successful against some versions of IOS. Additional tools are listed in the Tools Reference, Section 9.3.

Version 1.0j

UNCLASSIFIED

203

Router Security Configuration Guide

UNCLASSIFIED

6.3. Testing and Security Analysis Techniques

6.3.1. Functional Tests
Functional testing provides assurance that the implemented configuration is the intended one. Access lists should be tested thoroughly once assigned to an interface both to be certain that necessary traffic is permitted and unwanted traffic is denied. Additionally, some services depend on other services in order to function. For example, DNS must be available for any operation referencing a host by name to succeed (e.g. Telnet). Testing all allowed services will identify these dependencies. To view the current operational configuration, use the EXEC mode command show running-config. A serious known problem with Cisco IOS is that some default settings are not displayed as part of the router configuration listing. The above command would not, for example, show the udp-small-servers or the tcp-smallservers in the configuration. The default settings for these services depend upon the IOS version; for IOS v.11.2, the default is enabled, but for IOS v.11.3, the default is disabled. To verify the entire configuration, run a port scan against the router. The nmap scanning program is a good tool for this purpose. The examples below show nmap running under Linux. (Note: if IP unreachable messages have been disabled, as advised in Section 4.3, temporarily re-enable them before performing your UDP port scan by using the interface configuration command ip unreachable.)

TCP Scan:
The following command will perform a TCP scan against router North (IP address 14.2.1.250):
# nmap sT 14.2.1.250 p 1-65535 Starting nmap v. 2.12 by Fyodor ([email protected]) Interesting ports on (14.2.1.250): Port State Protocol Service

If VTY (Telnet) access is not allowed, there shouldnt be any ports open. Otherwise, cross-check the ports that nmap reports open against the services that the router is supposed to be running.

Version 1.0j

UNCLASSIFIED

207

Router Security Configuration Guide

UNCLASSIFIED

This vulnerability can be tested by sending a UDP packet to the routers port 514. However, if the router is running a vulnerable version of the IOS software and the access list is not properly configured or not applied, the router could crash or hang! As mentioned above, running DoS attack scripts against the router can have very serious and undesirable consequences. If, after careful consideration, planning and coordination, the decision is made to go forward with this testing, the attack scripts are readily available from many sources on the internet. At the time of this writing, Packetstorm Security has several DoS exploits, available under http://packetstorm.securify.com/exploits/DoS/ and http://packetstorm.securify.com/spoof/. Other useful sites for exploit information and code are listed at the end of this section.

6.3.3. Mechanisms for Automated Testing

There are a number of products available to automate the testing process. CyberCop Scanner from Network Associates and Internet Scanner from ISS are two popular commercial products. The Security Administrators Integrated Network Tool (SAINT) and the Security Administrator Tool for Analyzing Networks (SATAN) are publicly available tools.

WARNING: RUNNING AUTOMATED ATTACK TOOLS ENTAILS SIGNIFICANT RISK! It is easy to accidentally auto-scan more systems than you intended, or to touch systems for which you have no legal authority. Exercise caution when using tools like CyberCop, SAINT, or SATAN; always double-check the addresses to be scanned, and monitor the tools closely while they are operating.
CyberCop Scanner performs comprehensive evaluations of intranets, web servers, firewalls and screening routers by scanning them and performing extensive tests to identify known vulnerabilities. CyberCop generates reports from scan results that include information about detected vulnerabilities: a description of the vulnerability, security concerns, level of risk and suggestions for fixing/mitigating the vulnerability. CyberCop offers monthly updates consisting of new modules and security hotfixes for new and evolving vulnerabilities. For more information, visit:
http://www.nai.com/asp_set/solutions/activesecurity/acts_produ cts.asp

Internet Scanner is also a network vulnerability analysis and risk assessment product. Internet Scanner probes the networks communication services, operating systems, key applications and routers for those vulnerabilities frequently used by malicious users to investigate and attack networks. Internet Scanner includes nearly 600 total tests, and updates containing the latest tests and security checks are available for download daily. Internet Scanner analyzes the scan data and provides reports containing vulnerabilities identified along with recommended corrective actions. The latest version of Internet Scanner (6.01) now contains tests to find hosts infected by

208

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Testing and Security Validation

Version 1.0j

UNCLASSIFIED

Future Issues in Router Security

7. Future Issues in Router Security

This section describes a few areas of network technology that will probably have an effect on router and network security in the near future. The list is not comprehensive, the topics described below are merely a select few of the many technologies that network security administrators will have to incorporate into their security plans and policies in the next few years.

7.1. Routing and Switching

As network bandwidth demands continue to increase, IP routing will increasingly be replaced by layer 2 switching in high-performance applications. The security concerns for switched networks and switches correspond directly to those for routed networks and routers. ! Protecting physical access to the switch itself ! Controlling virtual access to the switch, including user authentication and authorization ! Updating the operating system when necessary to fix known vulnerabilities ! Preventing unauthorized modification of the switch configuration ! Disabling unneeded services and features Switching imposes new risks, while removing the ability to impose some security restrictions. For example, routers can supply critical protection at network boundaries by filtering traffic (see Section 4.3). Switches typically have limited or negligible filtering capabilities. Therefore, in a network environment that is predominantly based on switching, each individual host and device must be configured securely rather than relying on protection at their LAN boundaries. One feature of switched environments that might be usable to improve security is Virtual LAN switching. Many Ethernet switches have the ability to maintain one or more separate virtual LANs over the same physical cables and switches. The diagram below shows how virtual LANs can be set up to emulate two physical LANs spread across two switches. Note that some switches can act as routers between their separate VLANs, while others require a real router.

Version 1.0j

UNCLASSIFIED

213

Router Security Configuration Guide

UNCLASSIFIED

Internet

Host X (14.2.4.6) Host A (14.2.3.2)

Virtual View
Host B (14.2.3.3)

LAN 1 14.2.3.0/24

Router

LAN 2 14.2.4.0/24
Host Y (14.2.4.7)

Host C (14.2.3.4)

Host Z (14.2.4.8)

Internet

As VPNs become more popular and widespread, expect a corresponding increase in mobile users expecting to join home base networks, VPNs, and protected networks from remote sites. Standard protocols exist for tunneling layer 2 protocols, such as Ethernet or PPP, over IP networks; the primary such protocol used today is called the Layer 2 Tunneling Protocol (L2TP). Use of such tunneling protocols allows remote users to join a LAN, and actually use their home base LAN address, from a remote part of the network. There are several approaches to doing this, each of which has different security issues.

7.4.1. Virtual Private Dialup Networking

Cisco routers support tunneling dial-up protocols, like PPP, over IP from a remote router or network access server to a central router. This kind of tunneling architecture is called Virtual Private Dial-up Networking (VPDN), and it is illustrated in the figure below.
Virtual Private Dial-up Networking configured between these two devices

Access Server 126.19.4.29

Internet

home base router

dial-up

File Server 14.2.9.10

modem
Virtual Connection

Inside LAN 14.2.9.0/24

Remote User 14.2.9.185

Figure 7-2: Overview of Virtual Private Dial-up Networking

In general, the security for a VPDN service depends on use of IPSec between the two ends of the tunnel: the remote network access server and the central router. This is an area that needs further study, but it seems possible that small deployments could use static IPSec tunnels as described in Section 5.2.

Version 1.0j

UNCLASSIFIED

217

Router Security Configuration Guide

UNCLASSIFIED

7.5. IP Quality of Service and RSVP

The Resource reSerVation Protocol (RSVP) is the Internet standard protocol for setting up Quality-of-Service (QoS) parameters for traffic in routed IP networks. Many releases of Cisco IOS 12.0 and later support RSVP and QoS guarantees. As bandwidth-hungry network clients, such as IP video-conferencing systems, begin to gain wide acceptance, users will begin to demand quality-of-service assurances. Quality-of-service support offers the potential for substantial denial-of-service attacks. On routers that support RSVP but that do not need to provide any QoS guarantees, all RSVP messages should be denied on external interface using IP access-lists. For more information about access lists, consult Section 4.3. In general, RSVP configuration will probably be a contentious issue, and configuring it securely will be challenging. While the RSVP protocol itself includes provisions for authentication and authorization, key management and deployment issues for RSVP security have not been resolved. Also, Cisco IOS 12.1 now supports centralized application of RSVP policies, but the security issues associated with this facility have not yet been explored. Extensive guidance already exists for integrating IP QoS (RSVP) with ATM QoS, but the security issues involved in that integration have not been fully explored.

222

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Appendices

8. Appendices
The sections below offer ancillary material and supplemental guidance for network and security administrators.

8.1. Top Ways to Quickly Improve the Security of a Cisco Router

This appendix describes the most important and effective ways to tighten the security of a Cisco router, along with some important general principles for maintaining good router security. The descriptions here are terse, for more details consult the corresponding parts of Section 4. References to appropriate parts of Section 4 appear at the end of each recommendation.

General Recommendations
Comment and organize the offline editions of router configuration files! This sounds fluffy despite being a big security win. Keep the offline copy of all router configurations in sync with the actual configuration running on the routers, and keep all old versions under configuration management. This is invaluable for diagnosing suspected attacks and recovering from them. [Section 4.1] Implement access list filters by permitting only those protocols and services that the network users really need, and explicitly denying everything else. Trying to deny just the bad things is a losing proposition. [Section 4.3] Run the latest available General Deployment (GD) IOS version. [Sections 4.5.5, 8.3]

Specific Recommendations
1. Shut down unneeded services - things that aren't running can't break, and save memory and processor slots too. Start by running the show proc command on the router, then turn off clearly unneeded facilities and services. Some services that should almost always be turned off are listed below. ! CDP - Cisco Discovery Protocol is used almost exclusively by Cisco RMON; CDP sends packets from your router once a minute or so identifying your router. Use the no cdp run command to kill the process and disable CDP globally. To leave CDP running but disable it for certain network connections, apply the command no cdp enable to the appropriate interfaces. [Section 4.2] ! Small services - miscellaneous UDP (echo, discard, chargen) and TCP (echo, discard, chargen, daytime) based services. One of these is the UDP echo which is used in the fraggle attack. Use

Version 1.0j

UNCLASSIFIED

223

Router Security Configuration Guide

UNCLASSIFIED

the commands no service udp-small-servers and no service tcp-small-servers to turn these off. [Section 4.2] ! Finger - the finger daemon. Use the command no service finger (IOS 11.2 and earlier) or no ip finger (IOS 11.3 and later). [Section 4.2] ! NTP - the Network Time Protocol. If NTP is not being employed for time synchronization, turn if off with no ntp server. NTP can also be disabled for only a specific interface with the ntp disable command. [Sections 4.2, 4.5] ! BOOTP the IP bootp server. Turn off this little-used server with the command no ip bootp server. [Section 4.2] 2. Don't be a Smurf buddy! While the Smurf attack doesn't usually attack the router itself, a Smurf attack can let an attacker use your network to launch denial of service raids on other sites; the attacks will appear to come from you. To prevent this, use the command no ip directedbroadcast on all interfaces. This may be the default on some recent versions of IOS, but include it in your configuration explicitly anyway. [Section 4.2]
Central(config)# interface eth 0/0 Central(config-if)# no ip directed-broadcast

3. Shut down unused interfaces using the shutdown command. Check them with the show interfaces command. If the router has an auxiliary console port (aux port) and it is not in use, shut it down as shown below. [Section 4.1]
Central(config)# interface eth 0/3 Central(config-if)# shutdown Central(config-if)# exit Central(config)# line aux 0 Central(config-line)# no exec Central(config-line)# transport input none Central(config-line)# exit

4. Always start an access-list definition with the command no accesslist nnn to make sure it starts out clean. [Section 4.3]
East(config)# no access-list 51 East(config)# access-list 51 permit host 14.2.9.6 East(config)# access-list 51 deny any log

5. Log access list port messages properly. For reasons of efficiency, Cisco IOS doesn't look at an entire packet header unless it has to. If packets are rejected by an access list filter for other reasons, the log message will often list the packet as using port 0. To prevent this from happening, instead of the usual logging access list command (such as access-list 106 deny ip any any log), use the special port range arguments shown below.

224

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Appendices

no access-list 106 access-list 106 deny udp any range 0 65535 any range 0 65535 log access-list 106 deny tcp any range 0 65535 any range 0 65535 log access-list 106 deny ip any any log

The last line is necessary to ensure that rejected packets of protocols other than TCP and UDP are properly logged. [Section 4.3] 6. Password and access protect the Telnet VTYs. By default, virtual terminals (telnet) are unprotected. To set a password, use password command. To control access, use a access list and the access-class command. Finally, if only one method of attaching to the VTY, such as Telnet, is to be permitted, use the transport input command to enable only that method. [Section 4.1]
South(config)# line vty 0 4 South(config-line)# login South(config-line)# password Soda-4-J1MMY South(config-line)# access-class 2 in South(config-line)# transport input telnet South(config-line)# exit South(config)# no access-list 92 South(config)# access-list 92 permit 14.2.10.0 0.0.0.255

Controlling authentication for login to the router is an extremely important topic, consult Sections 4.1 and 4.6 for guidance. 7. Unless the network is one of those very rare setups that needs to allow source routed packets, the source routing facility should be disabled with the command no ip source-route. [Section 4.2]
Central(config)# no ip source-route

8. Turn off SNMP trap authentication to prevent a remote SNMP system shutdown request. In IOS 11.2 and later use the global configuration command no snmp-server enable traps. If SNMP is not being used on the router, turn it off with the command no snmp-server. [Sections 4.2, 4.5.3]
South(config)# no snmp-server enable traps South(config)# no snmp-server

9. Make sure that the router enable password is encrypted using the strong MD5-based algorithm by using the enable secret command rather than the enable password command. [Section 4.1]
South(config)# enable secret 2Many-Routes-4-U South(config)#

10. Allow only internal addresses to enter the router from the internal interfaces, enforce this using access-lists. Block illegal addresses at the outgoing interfaces. Besides preventing an attacker from using the router

Version 1.0j

UNCLASSIFIED

225

Router Security Configuration Guide

UNCLASSIFIED

to attack other sites, it helps identify mis-configured internal hosts and networks. This approach may not be feasible for very complicated networks. [Section 4.3]
East(config)# no access-list 101 East(config)# access-list 101 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 101 deny udp any range 1 65535 any log East(config)# access-list 101 deny tcp any range 1 65535 any log East(config)# access-list 101 deny ip any any log East(config)# interface eth 1 East(config-if)# ip access-group 101 in East(config-if)# exit East(config)# interface eth 0 East(config-if)# ip access-group 101 out East(config-if)# end

11. Turn on the routers logging capability, and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the router blocks syslog traffic from untrusted networks. [Section 4.5]
Central(config)# Central(config)# Central(config)# Central(config)# logging logging logging logging buffered trap info facility local1 14.2.9.6

12. Block packets coming from the outside (untrusted network) that are obviously fake or are commonly used for attacks. This protection should be part of the overall design for traffic filtering at the router interface attached to the external, untrusted network. [Section 4.3] ! Block packets that claim to have a source address of any internal (trusted) networks. This impedes some TCP sequence number guessing attacks and related attacks. Incorporate this protection into the access lists applied to interfaces connected to any untrusted networks. ! Block incoming loopback packets (address 127.0.0.1). These packets cannot be real. ! If the network does not need IP multicast, then block it. ! Block broadcast packets. (Note that this may block DHCP and BOOTP services, but these services should not be used on external interfaces.) ! A number of remote attacks use ICMP redirects, block them. (A superior but more difficult approach is to permit only necessary ICMP packet types.) The example below shows how to enforce these rules on router North.
North(config)# North(config)# North(config)# North(config)# North(config)# no access-list 107 ! block internal addresses coming from outside access-list 107 deny ip 14.2.0.0 0.0.255.255 any log access-list 107 deny ip 14.1.0.0 0.0.255.255 any log ! block bogus loopback addresses

226

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Appendices

North(config)# access-list 107 deny ip 127.0.0.1 0.0.0.255 any log North(config)# ! block multicast North(config)# access-list 107 deny ip 224.0.0.0 0.0.255.255 any North(config)# ! block broadcast North(config)# access-list 107 deny ip host 0.0.0.0 any log North(config)# ! block ICMP redirects North(config)# access-list 107 deny icmp any any redirect log . . North(config)# interface eth 0/0 North(config-if)# ip access-group 107 in

13. Block incoming packets that claim to have the same destination and source address (i.e. a Land attack on the router itself). Incorporate this protection into the access list used to restrict incoming traffic into each interface, using a rule like the one shown below (part of the configuration file for router East). [Section 4.3]
no access-list 102 access-list 102 deny ip host 14.2.6.250 host 14.2.6.250 log access-list 102 permit ip any any interface Eth 0/0 ip address 14.2.6.250 255.255.255.0 ip access-group 102 in

14. Prevent the router from unexpectedly forwarding packets with no clear route by using the global configuration command no ip classless. [Section 4.2] 15. Proxy ARP is used to set up routes on the fly for internal hosts or subnets and may reveal internal addresses. Disable it by applying the command no proxy-arp to each external interface. If proxy ARP is not needed, disable it on all interfaces. [Section 4.2]
Central(config)# interface eth 0/0 Central(config-if)# no proxy-arp

16. Except on the rarely-seen Cisco 1000 series routers, the HTTP server is off by default. To be safe, however, include the command no ip http server in all router configurations. [Section 4.2] 17. So that the complete date and time are stamped onto entries in the routers buffered log, use the global configuration command service timestamps as shown in the example below. [Section 4.5]
East(config)# service timestamps log date \ msec local show-timezone East(config)#

Version 1.0j

UNCLASSIFIED

227

Router Security Configuration Guide

UNCLASSIFIED

18. Unless the router absolutely needs to autoload its startup configuration from a TFTP host, disable network autoloading with the command no service config. [Section 4.2] 19. Turn on password encryption, so that regular passwords are stored and displayed in scrambled form. This provides some security against casual over-the-shoulder attacks. [Section 4.1]
East(config)# service password-encryption

20. If the router has a separate bootflash image, make sure that the IOS bootflash image version is reasonably close to the current IOS version. To check the current boot version use the command show boot. [Note: only a few Cisco router models (e.g. 4700) have a separate bootflash image; if the router responds to show boot with Invalid input then this recommendation does not apply.] For more information about testing router security, and defeating common attacks, see Section 6.

228

UNCLASSIFIED

Version 1.0j

230

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Appendices

Section

Topic Routing protocols

Application to Switches This section is not generally applicable to switches. [Note: some Catalyst 5000 and higher series switches are equipped with a Route Switch Module. This module is essentially a 4700-series IOS router attached to the switch. It should be configured using Section 4 like any other router.] Almost all of this section applies to IOS-based switches; some switch IOS versions do not support NTP, and must have their time set manually. All switches support RMON and SMTP; these services should be disabled if not in use, or access to them should be restricted. All of this section is applicable to IOS-based switches, if they support AAA (IOS 11.2 and later).

4.4

4.5

Audit and Management

4.6

Access control with AAA

Note that Cisco switch-resident routing hardware (e.g. Catalyst 5000 series Route Switch Modules) can and should be configured using the guidance in Section 4, after careful consideration of its role in the network security policy. Most of the security testing guidance given in Section 6 also applies to LAN switches.

Version 1.0j

UNCLASSIFIED

231

Router Security Configuration Guide

UNCLASSIFIED

8.3. Overview of Cisco IOS Versions and Releases

Cisco provides a very large number of software releases for their routers and other products. This appendix provides an overview of the major release levels, and the release naming scheme. It is intended to help with upgrade strategies and version selection. In general, operational routers should kept up to date with the newest stable release that provides all the needed features. Often it will not be practical to install all the updates that Cisco makes available, especially during the flurry of bug fix releases that tends to follow a major change. Devise a consistent upgrade strategy that matches the needs of your network, and then follow it; use this appendix and the materials listed in the references, to understand what Cisco provides.

8.3.1. Release Levels and Names

Cisco follows strict naming schemes for IOS releases. Unfortunately, the format has changed several times since IOS was first introduced in the mid-1990s. The current format for a Cisco IOS release name is shown below.

VV.N.M RR
Release identifier Maintenance revision number Minor release number IOS Major release number: 10, 11, 12

Examples: 12.0.3 Release = 12.0 Revision = 3 Release = 11.3 Revision = 5 Identifier = T

11.3.5T

Figure 8-1 Cisco IOS Release Naming

In general, release number and release identifiers tell what features could be available, and the revision number tells how many times the release has undergone fixes to correct problems. Cisco releases may be broadly divided into kinds: regular shipping releases (general or limited) and early releases. A regular release will almost always have a simple number with no release identifier, such as 12.0.8. An early release will usually include an identifier, and may also include a number in parentheses. For example, the release 12.1.3T is IOS version 12.1, revision 3, identifier T. The T identifier designates an early release of new technology features. For operational purposes, it is usually best to avoid early release software, unless it has some required, critical feature. There is a complex naming scheme for early releases that is beyond the scope of this guide; consult [1] for complete details. Some of the suffixes that you might see on special-purpose releases include XA, HA, F. You might also see maintenance revision numbers in parentheses, usually for ED releases; for example, 11.2(9)XA.

232

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Glossary

Every Cisco IOS release has a release type. The table below describes the types.
Type Description Early Deployment a pre-shipping release that supports new features, protocols, or hardware. Limited Deployment this is the status of a release when it is first shipped to customers (FCS). Releases at this level are sometimes pre-installed on routers sold by Cisco. General Deployment a stable shipping release suitable for general use. Most Cisco routers sold come with a GD release pre-installed. Remarks This could be considered the beta release for an IOS version. LD releases are usually stable, but have not undergone the extensive customer shakedown and bug fixes of a GD release. The most stable type of a release, a GD has usually been subject to several rounds of bug fixes since first shipping. DF releases are not available to customers.

Deferred Release a release that was built and named, but later retracted.

The revision numbers for a given release run sequentially, even as the release status moves from ED to GD. As an example, look at IOS 12.0: for the 3640 router, 12.0.1 was ED, 12.0.4 was LD, and 12.0.8 was GD.

Releases, Features, and the Cisco IOS Upgrade Planner

Every Cisco IOS release is built with a variety of feature sets. The feature sets have names that are roughly evocative of what the features are; two common names are IP PLUS and ENTERPRISE/APPN. All feature sets support basic IP routing and filtering, but some also support firewall or IPSec functions (see Section 5) or mainframe protocols, or telephony. IOS versions with more features will require more memory, so it is generally a good idea to use the simplest feature set that meets the networks needs. Some commercial organizations customarily purchase routers with the maximum memory capacity pre-installed, to give the greatest latitude for future expansion. The Cisco web site provides a Software Center where authorized customers can download software products, including Cisco IOS releases. The part of the software center that contains the IOS releases is called the Cisco IOS Upgrade Planner. Registered Cisco customers with software maintenance contracts may download IOS releases via the Upgrade Planner; it supports choosing versions in a very flexible way. It presents the different available releases in a friendly tabular arrangement, and allows you to select items of interest (hardware mode, feature set, release number) in any order. When you use the IOS Upgrade Planner to select a particular IOS software release, it supplies the hardware and memory requirements for that release before permitting

Version 1.0j

UNCLASSIFIED

233

Router Security Configuration Guide

UNCLASSIFIED

you to download it. Be very careful to check these requirements against the router on which you hope to run the software, ensure that amounts of installed memory meet or exceed the requirements before attempting to load the IOS release. Cisco also offers a hardware/software compatibility matrix checker, freely available on their web site. Using this tool [3], you can check what IOS releases are supported on your router model.

8.3.2. Major Releases and their Features

There are at least five major releases of Cisco IOS software currently in use in operational environments: 11.1, 11.2, 11.3, 12.0, 12.1, and 12.2. The lists below describe some of the major features introduced into IOS in each of these releases, with emphasis on security-relevant features. All earlier Cisco IOS releases, 11.0 and 10.x, are now unsupported by Cisco, although they are still available for download.

IOS 11.1
The 11.1 release was the last IOS release to use the old classic or monolithic architecture. While exceedingly stable and robust, it did not offer extensive security features. IOS 11.1 was first deployed in 1996, and engineering development for it was dropped in 1999. Some of the important features ! RIPv2 (see Section 4.5) ! The IOS web server and web browser management interface [IOS 11.1(5) and later] ! RADIUS support (as part of AAA, see Section 4.6) ! RMON support (see Section 4.5) ! Lock-and-Key dynamic access lists IOS 11.1 is available as a GD release for all older Cisco routers, but is not available for some of the popular newer models (e.g. 7500, 1605, 3660).

IOS 11.2
The 11.2 release was the first IOS version to fully implement Ciscos modular architecture for router software. A great many new features were added to IOS over the lifetime of 11.2, a few of them are listed below. ! Named access control lists (See Section 4.3) ! Network address translation (NAT)

234

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Glossary

! Support for RSVP and IP Quality-of-Service (see Section 7.5) ! Various OSPF and BGP4 enhancements ! Initial support for TCP Intercept (IOS 11.2F only) ! Early (pre-IPSec) VPN support ! Early versions of the IOS firewall feature set and CBAC (see Section 5.3) IOS 11.2 is available as a GD release for many popular Cisco router models, but not all of them.

IOS 11.3
11.3 was used to introduce a large number of new features into IOS, but it was never officially shipped as a GD release. Some of the features introduced in 11.3 are listed below. ! Initial implementations of IPSec (11.3T) ! Cisco Encryption Technology (CET) VPNs ! Enhancements to AAA (See Section 4.7) ! Full IOS firewall feature set and CBAC (11.3T) ! Reflexive access lists ! TCP Intercept (full availability) ! Initial support for VLAN routing ! Enhanced IOS filesystem and initial support for FTP ! HTTP authentication for the IOS web server IOS 11.3 is available for almost all Cisco router models, but only at the ED and LD release levels.

IOS 12.0
The 12.0 and 12.0T releases brought together a wide variety of features that had previously been available only in selected LD and ED releases of IOS 11. 12.0 was designed to be the basis for future router software releases, and to help eliminate the confusion of specialized releases that plagued 11.1 through 11.3. Some of the security-relevant features introduced or consolidated in 12.0 are listed below. ! Full support for the Firewall feature set and CBAC ! Initial version of IOS Intrusion Detection (IDS)

Version 1.0j

UNCLASSIFIED

235

Router Security Configuration Guide

UNCLASSIFIED

! Full support for IPSec ! Commented IP access list entries ! Full support for the Layer 2 Tunneling Protocol (L2TP) ! SNMP version 3 (See Section 4.6) ! Time-based access lists ! General availability of ip unicast reverse-path verification [Section 4.4] IOS 12.0 is available in both LD and GD forms for all supported Cisco router platforms, and many other Cisco hardware products.

IOS 12.1
The 12.1 release is an incremental step forward from 12.0. While it is expected to reach GD status, as of the summer of 2001 12.1 was only available at LD and ED levels. Some of the security features that appeared in 12.1 are listed below. ! Enhanced IPSec certificate management and AAA integration ! AAA accounting enhancements ! Unicast reverse path forwarding security enhancements ! Initial broad support for Secure Shell (SSH Version 1) server

IOS 12.2
The 12.2 release adds some new features to 12.1, as well as enhancements to some core security features. As of late 2001, IOS 12.2 had not yet reached GD status. A few of the many enhancements in 12.2 are listed below. ! Improved support for IP Quality-of-Service and RSVP ! Multi-Protocol Label Switching (MPLS) support ! Enhancements to SSH support ! Enhancements to IPSec and IKE ! Turbo Access Lists Ciscos web site offers a useful service called the Feature Navigator that supports searching for features by name or release number. The service is available to registered customers at http://www.cisco.com/cgi-bin/Support/FeatureNav/FN.pl.

236

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Glossary

8.3.3. References
[1] Coulibaly, M.M., Cisco IOS Releases: The Complete Reference, Cisco Press, 2000. This highly specialized book covers the Cisco IOS release system and release history in painstaking detail. However, it only covers up through IOS 12.0. [2] Cisco IOS Reference Guide, Cisco White Papers, Cisco Systems, 2001. available at: http://www.cisco.com/warp/public/620/1.html This detailed web page explains the IOS release naming scheme, and includes a map of releases up through 12.0.
[3]

Hardware/Software Compatibility Matrix, part of the Cisco Software Advisor, Cisco Systems, 2001. available at:
http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

This interactive web page allows you to find IOS releases compatible with particular router models.

Version 1.0j

UNCLASSIFIED

237

Router Security Configuration Guide

UNCLASSIFIED

8.4. Glossary of Router Security-related Terms

AAA
Authentication, Authorization, and Accounting The advanced user access control and auditing facility in Cisco IOS 11 and 12. (See also RADIUS and TACACS+) Access Control List - See Access List A set of rules that identify, permit, or restrict network traffic, usually based on addresses and other information from the packet headers. Cisco IOS depends heavily on access lists for traffic filtering, access to router services, IPSec configuration, and more. Authentication Header a part of IPSec, the packet format and protocol for IP integrity assurance services. (see also IPSec, IKE, ESP) Address Resolution Protocol link-layer protocol used for mapping from IP addresses to MAC addresses in LAN environments. ARP is standardized in RFC 826. (See also MAC Address, LAN, Proxy-ARP) Asynchronous Transfer Mode virtual-circuit oriented link layer protocol, used for network backbones, LANs, and telecommunications facilities. (See also LANE) Border Gateway Protocol an advanced routing protocol mostly using on backbone routers. BGP is standardized in RFC 1267. Content-Based Access Control packet inspection system used for application firewall functionality in Cisco routers. Cisco Discovery Protocol a proprietary link layer protocol that Cisco routers use to identify each other on a network. Not commonly used today. Cisco Express Forwarding a proprietary packet transfer technology used inside most Cisco router models. Dynamic Host Configuration Protocol UDP-based protocol for assigning host network attributes, like IP addresses and gateways, on the fly. DHCP is standardized in RFC 2131.

ACL Access List

ARP

ATM

BGP

CBAC CDP

CEF DHCP

238

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Glossary

DNS

Domain Name System hierarchical naming scheme used for host and network names on most IP networks, including the Internet. DNS is also the name for the protocol used to transmit and relay domain name information. DNS is standardized in RFCs 1034 and 1035. Denial of Service this abbreviation is often used for network attacks that prevent a network component from providing its operational functions, or that crash it. Distributed Denial of Service This abbreviation is used for DoS attacks that use multiple (usually hundreds or more) coordinated network data sources to attack a single victim. Extended Interior Gateway Routing Protocol A Cisco proprietary routing protocol, not commonly used (see also OSPF). A slang expression for a privileged EXEC session on a Cisco router, derived from the command used to request privileged EXEC mode: enable. Encapsulated Security Payload a part of IPSec, the packet format and protocol for IP confidentiality services (see also IPSec, IKE, AH) File Transfer Protocol widely-used TCP-based file transfer and file management protocol. Typically, FTP control messages are passed on TCP port 21. FTP is standardized in RFC 959. Internet Control Message Protocol a support protocol used along with IP for control and status message. ICMP is a network layer protocol that provides error messages and management capabilities in IP networks. ICMP is standardized in RFC 792. Internet Engineering Task Force the technical and consultative body that defines standards for the Internet. IETF standards are published by RFC number, the list of current standards is RFC 2400. Internet Key Exchange the standard security negotiation and key management protocol used with IPSec. IKE is standardized in RFC 2409. Internet Operating System Ciscos name for the modular software system that runs on their routers and some other network devices.

DoS

DDoS

EIGRP

Enable mode

ESP

FTP

ICMP

IETF

IKE

IOS

Version 1.0j

UNCLASSIFIED

239

Router Security Configuration Guide

UNCLASSIFIED

Internet Protocol The network-layer protocol on which the Internet is built. There are two extant versions of IP: IPv4 and IPv6. IPv4 is standardized in RFC 791. IPv6 is standardized in RFC 1883. [Note: all the discussion in this guide concerns IPv4.] Internet Protocol Security a set of standards that define confidentiality and integrity protection for IP traffic. IPSec is standardized by a set of RFCs including RFC 2401. Internet Security Association Key Management Protocol one of the precursors of IKE (see also IKE, IPSec). Kerberos was developed by the Massachusetts Institute of Technology as a network authentication system, and it provides strong authentication for client/server applications by using secret-key cryptography. Kerberos is standardized in RFC 1510 (see also RADIUS). Local Area Network general term for a single-segment or switched network of limited physical and organizational extent. LAN Emulation A standard mechanism for routing IP packets over ATM. Layer 2 Tunnel Protocol A standard protocol for forwarding low-level protocols over IP networks. L2TP is standardized in RFC 2661. Media Access Control address the link layer address of a network interface, especially Ethernet interfaces. An Ethernet MAC address is 48 bits long. Message Digest algorithm 5 a widely-used cryptographic checksum algorithm, standardized in RFC 1321. Management Information Base the hierarchical data organization used by SNMP. (See also SNMP) Multi-Protocol Over ATM A proposed standard mechanism for hosting network protocols (such as IP) over ATM. (See also LANE) An operational feature of IP, in which packets can be broadcast to particular recipients based on address. In IPv4, addresses from 224.0.0.0 to 225.255.255.255 are usually multicast group addresses. Network News Transfer Protocol a TCP-based application protocol that usually runs on port 119.

IPSec

ISAKMP Kerberos

LAN

LANE L2TP

MAC Address

MD5 MIB MPOA

Multicast

NNTP

240

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Glossary

NTP

Network Time Protocol the standard network time synchronization protocol, can use UDP or TCP, but usually uses UDP, port 123. NTP is standardized in RFC 1305. Open Shortest Path First an IP routing protocol that uses a link-state distance metric. OSPF is standardized in RFC 2328. (See also RIP) Public Key Infrastructure mechanisms and components for management of keys, certificates, and enrollment. Any application that acts as an intermediary in the network exchanges between two applications or services. Proxy applications are often employed to moderate exchanges through a firewall. A facility offered by some routers where a router responds to ARP queries from a connected LAN on behalf of hosts on other LANs. Rarely used. The Remote Authentication Dial-In User Service (RADIUS) is specified by the IETF RFC 2058. Using RADIUS, access servers can communicate with a central server to authenticate, authorize, and audit user activities. Request For Comments a document describing an Internet standard, proposed standard, or information related to or supports a standard. (See IETF) Router Information Protocol a simple inter-gateway routing protocol that uses hop count as its distance metric. RIP is standardized by RFCs 1088, 1388, and 1723. (See also OSPF) Remote MONitoring facilities for remote performance and traffic monitoring of network devices, based on SNMP. Direction and management of paths through a multi-segment network. (See also RIP, OSPF) Resource reSerVation Protocol fairly new standard protocol for requesting quality-of-service guarantees in IP networks. RSVP is standardized in RFC 2205. Simple Mail Transfer Protocol a TCP-based protocol for sending and relaying e-mail messages. SMTP is standardized in RFC 821. Simple Network Management Protocol datagram protocol used for monitoring and configuring network devices. SNMP uses UDP ports 161 and 162. SNMP is standardized in RFC 1157 and other RFCs. (See also RMON);

OSPF

PKI Proxy

Proxy-ARP

RADIUS

RFC

RIP

RMON Routing RSVP

SMTP

SNMP

Version 1.0j

UNCLASSIFIED

241

Router Security Configuration Guide

UNCLASSIFIED

SSH Syslog

Secure Shell a remote access protocol that provides confidentiality, integrity, and authentication services. A very simple UDP-based protocol used for logging by Unix systems and Cisco routers. Syslog usually employs UDP port 514. Terminal Access Controller Access Control System Plus a security protocol to provide centralized authentication, authorization, and accounting of users accessing a router or access server. TACACS+ is defined by Cisco. Transmission Control Protocol connection-oriented data protocol used with IP. TCP supports a large number of application layer network services, including Telnet, web, FTP, and e-mail. A simple TCP-based protocol for remote login, usually on port 23. Also used to refer to client applications that support the protocol. Trivial File Transfer Protocol simple UDP-based file transfer protocol, distinguished by its lack of any support for authentication. TFTP normally uses UDP port 69. TFTP is standardized in RFC 1350. User Datagram Protocol message-oriented data protocol used with IP. UDP is the basis for many core network services, including DNS, RIP, and NTP. UDP is standardized in RFC 768. Virtual Private Dialup Network an application of VPN technology to secure remote-dialup connections, giving a remote user secure connectivity to their home base network. (see also VPN) Virtual Private Network a closed network of communicating computers or LANs, using the public network as the transport. Usually the traffic between members of the VPN is protected by IPSec during transit over the public network. Virtual TeletYpe an interface on a host or router that provides the interactive services of a terminal. Cisco routers use VTY lines to host Telnet sessions (see Telnet).

TACACS+

TCP

Telnet

TFTP

UDP

VPDN

VPN

VTY

Cisco offers an large glossary of Internetwork technology terms and acronyms at their web site: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ita/. Explanations and documentation about a very wide variety of protocols may be found at http://www.protocols.com/.

242

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Additional Resources

9. Additional Resources
The references below can be useful in designing secure network configurations, and in understanding and maintaining router security.

9.1. Bibliography
The list below consists of books that are useful for router configuration and security, collected from the reference lists throughout this guide.

Albritton, J. Cisco IOS Essentials, McGraw-Hill, 1999. An excellent introduction to basic usage and configuration of IOS routers. Ballew, S.M., Managing IP Networks with Cisco Routers, OReilly Associates, 1997. A practical introduction to the concepts and practices for using Cisco routers, with lots of pragmatic examples. Baker, F. ed. Requirements for IP Version 4 Routers, RFC 1812, June 1995. A comprehensive introduction to the facilities that an IP router must provide to support the Internet. Black, U. IP Routing Protocols, Prentice Hall, 2000. A very good survey of routing protocols and the technologies behind them, with some discussion of applications. Buckley, A. ed. Cisco IOS 12.0 Configuration Fundamentals, Cisco Press, 1999. This is the reference manual and guide for basic configuration tasks in IOS 12.0. Sections particularly relevant to Router Access Security include: IOS User Interfaces and File Management. Chapman, D.B., Cooper, S., and Zwicky, E.D., Building Internet Firewalls, 2nd Edition, OReilly & Associates, 2000. A seminal overview of network boundary security concerns and techniques. This revised edition includes all the sound background of the original, with extensive updates for newer technologies. Chappell, Laura, Editor, Advanced Cisco Router Configuration, Cisco Press, 1999. Great reference book for a variety of Cisco configuration topics, including routing and routing protocols.

Version 1.0j

UNCLASSIFIED

243

Router Security Configuration Guide

UNCLASSIFIED

Cisco IOS 12.0 Configuration Fundamentals, Cisco Press, 1999. The configuration fundamentals guide and reference in book form; handy to have, but the documentation CD is usually easier to use. Cisco IOS Release 12.0 Security Configuration Guide, Cisco Press, 1999. This is the reference manual and guide for major security features in IOS 12.0, along with many examples. Doraswamy, N. and Harkins, D. IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Prentice-Hall, 1999. Contains a good overview and substantial technical detail about IPSec and related topics. Held, G., and Hundley, K., Cisco Access List Field Guide, McGraw-Hill, 1999. This book offers detailed information and examples on access list syntax and usage. Held, G. and Hundley, K., Cisco Security Architectures, McGraw-Hill, 1999. This book includes excellent general advice about router and router-related network security, in addition to its Cisco-specific material. Moy, J.T. OSPF Anatomy of an Internet Routing Protocol, Addison-Wesley, 1998. Detailed analysis of OSPF and MOSPF, with lots of practical advice, too. Includes a good section on troubleshooting. Parkhurst, W.R. Cisco Router OSPF - Design and Implementation Guide, McGraw-Hill, 1998. Comprehensive and practical guide to OSPF use. Includes discussion of design issues, security, implementation, and deployment. Rybaczyk, P., Cisco Router Troubleshooting Handbook, M&T Books, 2000 A very practical book, oriented toward finding and correcting problems with router connectivity and routing protocols. Stevens, W.R., TCP/IP Illustrated, Volume 1, Addison-Wesley, 1994. The most comprehensive and readable guide to the TCP/IP protocol suite; great technical background for any network analyst. Thomas, T.M. OSPF Network Design Solutions, Cisco Press, 1998. This book starts with a good overview of IP routing and related technologies, then goes on to explain how to configure Cisco routers for OSPF in a wide variety of situations.

244

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Additional Resources

9.2. Web Site References

The list below consists of pointers to web sites that provide useful information about routers, network security, and vulnerabilities.

CERT
http://www.cert.org/

The Carnegie-Mellon University Computer Emergency Response Team (CERT) maintains a web site about network vulnerabilities. Many of the incident reports, advisories, and tips are relevant to router security.

Cisco Documentation
http://www.cisco.com/univercd/home/home.htm

This is the root of the Cisco documentation tree. From this page, you can find IOS software documentation, tutorials, case studies, and more.

Cisco Press
http://www.ciscopress.com/

At the web site of Ciscos publishing arm, you can order a wide variety of books about Cisco routers and related networking technologies.

Cisco Security Technical Tips

http://www.cisco.com/warp/public/707/

This page is the root of Ciscos security area. From here, you can find the Cisco security advisories, information about security technologies and more.

IETF
http://www.ietf.org http://www.rfc-editor.org/

The IETF is the standards body that defines and maintains the protocol standards for the Internet. Use these sites to look up protocol standards and track emerging technologies that are becoming standards.

Microsoft
http://www.microsoft.com http://support.microsoft.com/support/

Microsofts site offers extensive information about networking their products, and about product vulnerabilities. This information can often be helpful in configuring routers that protect Microsoft-based networks.

Version 1.0j

UNCLASSIFIED

245

Router Security Configuration Guide

UNCLASSIFIED

Packet Storm
http://packetstorm.securify.com/

This site is an excellent resource for network security news, vulnerability announcements, and tools.

Protocols.com
http://www.protocols.com/

This commercial web site offers descriptions and links to information about a very wide range of protocols and telecommunication data formats, as well as a pretty good glossary.

Security Focus
http://www.securityfocus.com/

Security Focus is a good site for security news and vulnerabilities. Although it doesnt usually have much information about routers, it sometimes gives advice on how to forestall certain attacks by using your routers.

246

UNCLASSIFIED

Version 1.0j

UNCLASSIFIED

Additional Resources

9.3. Tool References

The list below describes some well-respected non-commercial tools that may be helpful in router administration and improving network security.

Ethereal
http://ethereal.zing.org/

Ethereal is an effective sniffer, a network traffic capture and analysis tool. Tools like Ethereal are valuable for diagnosing and testing router and network security.

Minicom
http://www.pp.clinet.fi/~walker/minicom.html

Minicom is a small, effective terminal emulation tool for Linux and Unix. While it has no fancy GUI, minicom is fast, efficient, flexible, and will serve well as a Cisco router console application on Linux.

NET-SNMP
http://net-snmp.sourceforge.net/

NET-SNMP is a free software toolkit for SNMP, originally created and distributed by the University of California at Davis. It was formerly called ucd-snmp.

Nessus
http://www.nessus.org/

The Nessus security scanner is a handy tool for getting a quick idea of the security vulnerabilities present on a network. While Nessus is primarily oriented toward scanning host computers, it may also be used to scan routers.

NCAT/RAT
http://ncat.sourceforge.net/

NCAT is a general-purpose configuration-checking tool, RAT is a version specifically targeted to checking router configurations. The included rule sets may be used, or extended with rules that enforce your local security policy. This tool is still under development.

Nmap
http://www.insecure.org/nmap/ http://www.eeye.com/html/Databases/Software/nmapnt.html

This is the most widely used port-scanning tool for Linux and Unix systems. It can perform TCP, UDP, and address scans in a variety of ways, and is an invaluable tool for confirming filtering configurations. A version is also available for Windows NT/2000 systems.

Version 1.0j

UNCLASSIFIED

247

Router Security Configuration Guide

UNCLASSIFIED

OpenSSH
http://www.openssh.com/

The OpenSSH project offers a free, usable implementation of the SSH security protocol for a wide variety of platforms.

SAINT
http://www.wwdsi.com/saint/index.html

The Security Administrators Integrated Network Tool (SAINT) is an advanced derivative of SATAN. It can provide valuable security scanning services for hosts, routers, and networks.

SATAN
http://www.fish.com/~zen/satan/satan.html

The Security Administrators Tool for Analyzing Networks (SATAN) is primarily oriented toward network security assessment of traditional host computers, but it can also identify security vulnerabilities of routers and the network boundary protection they provide.

TeraTerm Pro
http://hp.vector.co.jp/authors/VA002416/teraterm.html

TeraTerm is an freely available terminal emulator and telnet application for Windows operating systems. It makes a most effective Cisco router console application.

248

UNCLASSIFIED

Version 1.0j

TCPIP4e Solutions Ch07
100% (11)
TCPIP4e Solutions Ch07
4 pages
Hcia Datacom
100% (4)
Hcia Datacom
198 pages
2.9.2 Lab - Basic Switch and End Device Configuration - ILM
No ratings yet
2.9.2 Lab - Basic Switch and End Device Configuration - ILM
12 pages
1-Booklist For CCIE
No ratings yet
1-Booklist For CCIE
3 pages
09 - SRX - Ipsec VPN
No ratings yet
09 - SRX - Ipsec VPN
64 pages
The Evolution of Internet Services PDF
No ratings yet
The Evolution of Internet Services PDF
12 pages
Deploy Firewalls in Cisco Programmable Fabric
No ratings yet
Deploy Firewalls in Cisco Programmable Fabric
75 pages
Collision and Broadcast Domain
No ratings yet
Collision and Broadcast Domain
3 pages
Mastering SaltStack - Second Edition
From Everand
Mastering SaltStack - Second Edition
Joseph Hall
No ratings yet
Arista Eos Rn-4.19.1f
No ratings yet
Arista Eos Rn-4.19.1f
26 pages
Subnetting Tricks Subnetting Made Easy With Examples
No ratings yet
Subnetting Tricks Subnetting Made Easy With Examples
2 pages
Benefits of Upgrading To The Latest Cisco Wireless Controllers
No ratings yet
Benefits of Upgrading To The Latest Cisco Wireless Controllers
4 pages
Cisco APIC REST API User Guide
No ratings yet
Cisco APIC REST API User Guide
66 pages
8.BGP Auto-Summary
No ratings yet
8.BGP Auto-Summary
5 pages
CISCO Vs ALU Commad Comparison Ver1.1 1st March 2013
No ratings yet
CISCO Vs ALU Commad Comparison Ver1.1 1st March 2013
17 pages
CCNP - BSCI.Quick - Reference.Sheets - Exam.642901 Ebook - Ipmanager.ir PDF
100% (1)
CCNP - BSCI.Quick - Reference.Sheets - Exam.642901 Ebook - Ipmanager.ir PDF
73 pages
Tidbit - IOS-XR BGP Allocate Label + Some Inter-AS VPNv4 - Come Route With Me!
No ratings yet
Tidbit - IOS-XR BGP Allocate Label + Some Inter-AS VPNv4 - Come Route With Me!
5 pages
Configurar o Gns3
No ratings yet
Configurar o Gns3
12 pages
Ccna Notes Ahmed Saeed
No ratings yet
Ccna Notes Ahmed Saeed
50 pages
Building Cisco Service Provider Next-Generation Networks, Part 1 - Student Guide
0% (1)
Building Cisco Service Provider Next-Generation Networks, Part 1 - Student Guide
20 pages
Switching PDF
No ratings yet
Switching PDF
104 pages
Charles Media Cisco Ip Routing Protocols Troubleshooting Techniques 2004
100% (1)
Charles Media Cisco Ip Routing Protocols Troubleshooting Techniques 2004
362 pages
Juniper IGMP
No ratings yet
Juniper IGMP
12 pages
10.BGP Messages
No ratings yet
10.BGP Messages
8 pages
Layer2 Network Design
No ratings yet
Layer2 Network Design
102 pages
26-CCNP-Route BGP Case Study
No ratings yet
26-CCNP-Route BGP Case Study
4 pages
BGP Notes
No ratings yet
BGP Notes
29 pages
Mastering Netscaler VPX Paperback Ebook
No ratings yet
Mastering Netscaler VPX Paperback Ebook
4 pages
Authentication, Authorization, and Accounting (AAA)
No ratings yet
Authentication, Authorization, and Accounting (AAA)
20 pages
BGP Confederation Explained: IBGP Tutorial
No ratings yet
BGP Confederation Explained: IBGP Tutorial
7 pages
Cisco Press Ccie Routing TCP IP Volume Two
No ratings yet
Cisco Press Ccie Routing TCP IP Volume Two
965 pages
JNCIE-SP-12.a_SG_
No ratings yet
JNCIE-SP-12.a_SG_
344 pages
All CBT Courses by Path
No ratings yet
All CBT Courses by Path
7 pages
2014 BRKSPG-2722 SDN Asr9k
No ratings yet
2014 BRKSPG-2722 SDN Asr9k
130 pages
Network Engineer Interview Questions
100% (1)
Network Engineer Interview Questions
4 pages
Routing Policy
No ratings yet
Routing Policy
2,997 pages
Config Guide Firewall Filter
100% (1)
Config Guide Firewall Filter
468 pages
B Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide Release 6.x
No ratings yet
B Cisco Nexus 7000 Series NX-OS Fundamentals Configuration Guide Release 6.x
144 pages
Auto Export Understanding
No ratings yet
Auto Export Understanding
12 pages
CISCO Books List
No ratings yet
CISCO Books List
2 pages
VMware Vmotion Inter Data Center Workload Mobility
No ratings yet
VMware Vmotion Inter Data Center Workload Mobility
35 pages
CN1 - Ebook of Computer Networks - Wosem
No ratings yet
CN1 - Ebook of Computer Networks - Wosem
361 pages
Configuring Q in Q Vlan Tunnels
No ratings yet
Configuring Q in Q Vlan Tunnels
10 pages
CLI Reference Guide Panorama 5.1 PAN OS 5.0
No ratings yet
CLI Reference Guide Panorama 5.1 PAN OS 5.0
562 pages
OSPF Definition: Open Shortest Path First (OSPF), Is A Routing
No ratings yet
OSPF Definition: Open Shortest Path First (OSPF), Is A Routing
14 pages
B1 - Overlay Virtual Networking and SDDC
No ratings yet
B1 - Overlay Virtual Networking and SDDC
278 pages
BGP Route Filtering - Access Lists Vs Prefix Lists - Networks Baseline - Cisco Engineers Live
No ratings yet
BGP Route Filtering - Access Lists Vs Prefix Lists - Networks Baseline - Cisco Engineers Live
20 pages
Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
No ratings yet
Cisco IOS IP Addressing Services Configuration Guide, Release 12.4
436 pages
Understanding STP RSTP Convergence PDF
100% (1)
Understanding STP RSTP Convergence PDF
34 pages
Fortigate Traffic Shaping 40 mr2 PDF
No ratings yet
Fortigate Traffic Shaping 40 mr2 PDF
56 pages
Material SP
No ratings yet
Material SP
828 pages
Bản Sao Của Ajsec-lg
No ratings yet
Bản Sao Của Ajsec-lg
400 pages
BGP Book
No ratings yet
BGP Book
382 pages
Datacenter Ethernet PDF
No ratings yet
Datacenter Ethernet PDF
44 pages
Chapter 9: Determining IP Routes
No ratings yet
Chapter 9: Determining IP Routes
70 pages
Works
No ratings yet
Works
400 pages
Mastering The XMPP Framework: Develop XMPP Chat Applications for iOS
From Everand
Mastering The XMPP Framework: Develop XMPP Chat Applications for iOS
Peter van de Put
4.5/5 (2)
NSA Router Security Configuration Guide
No ratings yet
NSA Router Security Configuration Guide
249 pages
Notas GNS3
No ratings yet
Notas GNS3
304 pages
Nsa Cisco Router Security Guide
No ratings yet
Nsa Cisco Router Security Guide
304 pages
Router Security Config Guide
No ratings yet
Router Security Config Guide
304 pages
Router Security Configuration Guide
No ratings yet
Router Security Configuration Guide
291 pages
White Paper-Securing Cisco Routers
No ratings yet
White Paper-Securing Cisco Routers
31 pages
Juniper Networks Router Security: Best Common Practices For Hardening The Infrastructure
No ratings yet
Juniper Networks Router Security: Best Common Practices For Hardening The Infrastructure
24 pages
A Routing Protocol For Lora Mesh Networks
No ratings yet
A Routing Protocol For Lora Mesh Networks
6 pages
BGP Route Selection
No ratings yet
BGP Route Selection
45 pages
Tutorial BGP Multihoming Techniques SANOG24
No ratings yet
Tutorial BGP Multihoming Techniques SANOG24
176 pages
Expert Ip Test Tools
No ratings yet
Expert Ip Test Tools
4 pages
IP Address Solved MCQs With Answers in PDF
No ratings yet
IP Address Solved MCQs With Answers in PDF
4 pages
Ipv6 Addressing Scheme - Modules 6 To 9: ISP Workshop Lab
No ratings yet
Ipv6 Addressing Scheme - Modules 6 To 9: ISP Workshop Lab
2 pages
NAT Configuration Command
No ratings yet
NAT Configuration Command
2 pages
Contoh Subnetting (Fix)
No ratings yet
Contoh Subnetting (Fix)
34 pages
01-Format Laporan Praktikum - Instalasi Sistem Operasi Jaringan
No ratings yet
01-Format Laporan Praktikum - Instalasi Sistem Operasi Jaringan
3 pages
CCNA Certification EIGRP Configuration Lab Simulation
No ratings yet
CCNA Certification EIGRP Configuration Lab Simulation
8 pages
CN MCQ QB
No ratings yet
CN MCQ QB
30 pages
Binary To Decimal Conversion: 128 64 32 16 8 4 2 1 Answers Scratch Area
No ratings yet
Binary To Decimal Conversion: 128 64 32 16 8 4 2 1 Answers Scratch Area
10 pages
Lab 5.5.1: Examining A Device's Gateway: Topology Diagram
No ratings yet
Lab 5.5.1: Examining A Device's Gateway: Topology Diagram
8 pages
Ip Addressing Sample Questions and How To Answer
No ratings yet
Ip Addressing Sample Questions and How To Answer
1 page
HC110110026 Network Address Translation
No ratings yet
HC110110026 Network Address Translation
20 pages
Cisco Nat Xe 16 Book
No ratings yet
Cisco Nat Xe 16 Book
368 pages
Internet Connection
No ratings yet
Internet Connection
1 page
Practical 6 Security VPN GRE
No ratings yet
Practical 6 Security VPN GRE
6 pages
TP 1
No ratings yet
TP 1
3 pages
Chapter 1 Routing Concepts
No ratings yet
Chapter 1 Routing Concepts
48 pages
Cisco - Passit4sure.300 101.v2015!05!19.by - Robert.65q
No ratings yet
Cisco - Passit4sure.300 101.v2015!05!19.by - Robert.65q
76 pages
Connection Log
No ratings yet
Connection Log
54 pages
Security Aspects & Performance Analysis of Mobile & IP Networks - Contents
No ratings yet
Security Aspects & Performance Analysis of Mobile & IP Networks - Contents
3 pages
Untitled
No ratings yet
Untitled
417 pages
IP Sec: Waleed Ejaz
No ratings yet
IP Sec: Waleed Ejaz
28 pages
Lecture - 6 - PIM Dense Mode
No ratings yet
Lecture - 6 - PIM Dense Mode
4 pages