Chapter 15

Securing Your Network

Router Considerations
The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP). If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers. The configuration categories for the router are:

y y y y y y

Patches and updates Protocols Administrative access Services Auditing and logging Intrusion detection

Patches and Updates
Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found and they inevitably will be found good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.

Denial of service attacks often take advantage of protocol-level vulnerabilities, for example, by flooding the network. To counter this type of attack, you should:

y y

Use ingress and egress filtering. Screen ICMP traffic from the internal network.

Use Ingress and Egress Filtering Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.

use it in echo-reply mode only. While ICMP can be used for troubleshooting. Do Not Receive or Forward Directed Broadcast Traffic Directed broadcast traffic can be used to enumerate hosts on a network and as a vehicle for a denial of service attack. Screen ICMP Traffic from the Internal Network ICMP is a stateless protocol that sits on top of IP and allows host availability information to be verified from one host to another. .org/rfc/rfc2267. If you must enable it. Trace routing is a means to collect network topology information.1. Therefore. you prevent an attacker from learning details about your network from trace routes.txt. For example. you prevent malicious echo requests from causing cascading ping floods. it can also be used for network discovery and mapping. see "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing" at http://www. Other ICMP vulnerabilities exist that justify blocking this protocol. Commonly used ICMP messages are shown in Table 15. By blocking packets of this type. Prevent TTL Expired Messages with Values of 1 or 0 Trace routing uses TTL values of 1 and 0 to count routing hops between a client and a server. Source addresses that should be filtered are shown in Table 15.2. For more information.This type of filtering also enables the originator to be easily traced to its true source since the attacker would have to use a valid and legitimately reachable source address. by blocking specific source addresses. Table 15.1 Commonly Used ICMP Messages Message Description Echo request Determines whether an IP node (a host or a router) is available on the network Echo reply Replies to an ICMP echo request Destination unreachable Informs the host that a datagram cannot be delivered Source quench Informs the host to lower the rate at which it sends datagrams because of congestion Redirect Time exceeded Informs the host of a preferred route Indicates that the time to live (TTL) of an IP datagram has expired Blocking ICMP traffic at the outer perimeter router protects you from attacks such as cascading ping floods. control the use of ICMP.rfceditor.

0/12 Loopback Link local networks RFC 1918 private network Administrative Access From where will the router be accessed for administration purposes? Decide over which interfaces and ports an administration connection is allowed and from which network or host the administration is to be performed.0. see "Configuring Broadcast Suppression" on the Cisco Web site at http://www.0/8 10.0.0/16 224. Apply strong password policies.0/4 TEST-NET RFC 1918 private network Class D multicast 15.0/8 Historical broadcast RFC 1918 private network 127.0.0/5 255. Do not leave an Internet-facing administration interface available without encryption and countermeasures to prevent hijacking. Restrict access to those specific locations.0/5 192.0/16 ml. Use static routing.255/32 Class E reserved Unallocated Broadcast For more information on broadcast suppression using Cisco routers. In addition: y y y Disable unused interfaces.2 Source Addresses That Should be Filtered Source address Description 0.

. Audit Web Facing Administration Interfaces Also determine whether internal access can be configured. every open port is associated with a listening service.y Audit Web facing administration interfaces. Attackers learn what your security priorities are and attempt to work around them. number. You should also scan your router to detect which ports are open. Intrusion Detection With restrictions in place at the router to prevent TCP/IP attacks. Examples include bootps and Finger. An auditing schedule should be established to routinely inspect logs for signs of intrusion and probing. When possible. and it is probably not updated. it can be cracked. An attacker might try to change routes to cause denial of service or to forward requests to a rogue server. shut down the external administration interface and use internal access methods with ACLs. a router logs all deny actions. Use Static Routing Static routing prevents specially formed packets from changing routing tables on your router. By using static routes. which are rarely required. To reduce the attack surface area. Services On a deployed router. Intrusion Detection Systems (IDSs) can show where the perpetrator is attempting attacks. It can discover common passwords where a letter is replaced by a number. an administrative interface must first be compromised to make routing changes. For example. the router should be able to identify when an attack is taking place and notify asystem administrator of the attack. and symbol combinations when creating passwords. Disable Unused Interfaces Only required interfaces should be enabled on the router. if "p4ssw0rd" is used as a password. Modern routers have an array of logging features that include the ability to set severities based on the data logged. Also secure log files in a central location. default services that are not required should be shut down. this default behavior should not be changed. Always use uppercase and lowercase. This might expose you to unknown attacks on those interfaces. Apply Strong Password Policies Brute force password software can launch more than just dictionary attacks. Auditing and Logging By default. An unused interface is not monitored or controlled.

com/blog/networking/how-to-properly-secure-your-cisco-router-withpasswords/569 By David Davis June 26. They are set up in a hierarchical manner.+++++ http://www. There is no automatic password defense that comes with your router. hopefully. the more privilege you have and. and shows you how to configure the five main passwords that protect your network. As a Cisco admin. They are: . which means that the deeper the access. explains the three modes for the Cisco IOS. ³Fundamentals: Five Ways to Secure Your Cisco Routers and Switches. please see another of my TechRepublic articles. this should be taken very seriously. the more passwords you have set up for each level. I need to first make sure you know the three modes of the Cisco IOS. let¶s discuss the different modes of the Cisco IOS. It is so important and so easy to set up passwords. 9:26 AM PDT How to properly secure your Cisco router with passwords Takeaway: Some of the worst security breaches occur because people neglect basic security measures.´ What are the three modes of the Cisco IOS? Before I can tell you how to secure your router with passwords. First. For additional information on security for your router. David Davis discusses the importance of maintaining proper passwords on your router. 2008. Why do you need to secure your router with passwords? The question you might ask is: Doesn¶t the router already have default passwords? The answer is NO.techrepublic. it doesn¶t.

Todd Lammle. you can access user mode (and then on to the other modes if no passwords are set there either). You will need to step in a little deeper in the router¶s commands to make changes to your configuration. and gaining access to user mode (and. Here¶s an example of how to access that mode: Router# configure terminal Router(config)# Note: you can also just type conf t. To move from user mode to priv mode. How to configure the five main passwords of the Cisco IOS The five main passwords of the Cisco IOS are: y y y y y Console Aux VTY Enable password Enable secret Console If you have no password set on the router¶s console.User: In User mode. . by default. much more). connecting. basic interface information on the router is displayed. including configuration changes. The console port is where you would initially start to configure a new router. It is also called user exec mode. Privileged: Sometimes called the privileged exec (or just priv mode). we can now access the global configuration mode. this is the first point at which it is absolutely critical to have a password set (although you should have password access even at user mode). configuration views and changes are made at this level. This is where you would make changes that would affect your whole router. you just type enable while in user exec mode and press [Enter]: Router> enable Router# Global Configuration: From the exec priv mode. In my opinion. It is critical to set a password on the console port of the router to protect someone from physically walking up to the router. potentially. Well-known Cisco CCNA author. once called the user mode ³useless mode´ because no configuration changes can be made. nor can you view anything important at this level.

it is typically used to go from user mode (level 1) to privileged . you would use the command line console 0 in global configuration mode. To do this. you would need to have an active LAN or WAN interface set up on your router for Telnet to work. You would use this line to Telnet or SSH into the router (for SSH configuration. Here is what it looks like: Router# config t Router(config)# line console 0 Router(config-line)# password SecR3t!pass Router(config-line)# login Note: Complex passwords are important to keep someone from guessing your password. The enable command is actually used to change between different security levels on the router (there are 015 levels of security).Because there is only one console port per router. sets the actual password. tells the router to look under the console line configuration for the password. but a virtual connection. it is equally important to configure a password on it. As the aux port is a backup configuration port for the console. Router# config t Router(config)# line aux 0 Router(config-line)#password SecR3t!pass Router(config-line)# login VTY The ³virtual tty´ line is not a physical connection. However. password. Aux This is short for auxiliary port. and then use the login and password commands to finish up the configuration. As different routers and switches can have a different number of vty ports. login. just type line ? in privileged mode. The command. see my article ³Configure SSH on Your Cisco Router³). This is also a physical access port on the router. Of course. The command. Here¶s an example of configuring vty lines: Router# config t Router(config)# line vty 0 4 Router(config-line)# password SecR3t!pass Router(config-line)# login Enable password The enable password prevents someone from getting full access to your router. you should see how many you have before you configure them. Not all routers have this port.

Enable secret The enable secret password has the same function as the enable password. the password is stored in a much stronger form of encryption: Router(config)# enable secret SecR3t!enable Conclusion I¶ve introduced you to the different modes of the Cisco IOS and the five different types of passwords you need to set to ensure that your Cisco router or switch is secure. Make sure that your Cisco router and switch passwords are set properly . entire networks can be brought down due to the lack of simple password security. go to the global configuration mode and use the enable password command. many times.mode (level 15). To set a password to control access from user mode to privileged mode. but with enable secret. In fact. like this: Router# config t Router(config)# enable password SecR3t!enable Router(config)# exit The downside of the enable password is that it can be easily unencrypted by someone. if you are at user mode and you just type enable. it assumes you want to go to privileged mode. and that is why you should use enable secret instead. Remember that.

Why deal with such problems when Cisco routers would prove to be the much better option? In addition to the great reliability associated with Cisco routers. Of course. This is not always easy considering the high prices certain computer hardware comes with. No one needs to feel confused or unsure when it comes time to ³push buttons´ on the company¶s router. this may be the case when the network employs less reliable or durable. Cisco has made sure the router system¶s that bear the company¶s name are highly easy to use. Yet. Cisco routers are frequently recommended as the best available systems and are often an automatic go-to for businesses ± large or small. They understand that userfriendliness is greatly valued by those businesses seeking to purchase networking equipment. the affordable price makes them well worth looking acquiring. However.Why Cisco Routers Offer the Best Network Solution For Your Business? Those wondering which routers in the industry are the best will often hear a common single word response: Cisco. What is it about Cisco routers that make them such a reliable and popular choice? Two words can be employed to sum up such a question: quality and reliability. No. Yes. That alone can be considered a huge positive for a business. . Businesses always need to have an eye on the proverbial bottom line. the answer itself raises a question. Do you have to be a tech wizard in order to run Cisco routers? If you did then they would probably never have proven to be as popular as they have become. Cisco routers deliver on all their intended functions and do so without fail. This is just one of the reason that they are seen as easy to install and operate. this is the brand to consider. For those businesses in need of a top router system. It certainly would not be helpful to a business¶ bottom line to repeatedly replace routers. they are produced with a high enough level of quality that they will handle a great deal of use without displaying any loss of function. this is not to infer that they last forever or are not prone to any potential damage. This combination of cost-effectiveness and reliability would certainly prove incredibly difficult to beat.

All in all.php Routers are nothing more than a special type of PC. http://www. and come with a low price. the easier the router is to use. The more steps that are eliminated. Hardware Components There are 7 major internal components of a router: o o o o o o o CPU RAM NVRAM Flash ROM Console Interfaces CPU The CPU performs functions just as it does in a normal PC. and an operating system. The main difference is between a router and standard PC. east to operate.Similarly. . They operate at layer 3 of the OSI model. Vincent Rogers is a freelance writer who writes for a number of UK businesses. RAM. To find more information about or to purchase Cisco Routing and Switching. Routers and PCs both have some of the same components such as a motherboard. efficient. concerns about configuration may raise their The easier the router is to use. the less time your business needs to spend dealing with router problems and switch. Cisco routers are affordable. he recommends Prodec Networks.skullbox.robinsnestwebsites. is that a router performs special tasks to control or "route" traffic between two or more networks. configuration may not even be necessary. Or do they? Depending upon the particular router model a business purchases. High-end routers may contain multiple processors or extra slots to add more CPUs later. It executes commands given by the IOS using other hardware components. or hub click here. When you take all of this into account it¶s easy to see why they remain such a popular choice with businesses throughout the world.html Cisco Router Hardware http://www. it would be very difficult to top the great value that Cisco routers bring to the table. If you are unsure of the difference between a router. Remember that routers are the "smartest" networking devices. This would be another great positive since it eliminates the need for any additional and potentially confusing steps to run them.

This component can be upgraded by "unplugging" the chip and installing a new one. Meaning. However. The flash ROM is upgradeable in most Cisco routers. The main role of the RAM is to: hold the ARP cache. Flash Flash memory is very important because it saves your ass if you screw up the operating system configuration. card modules and onboard interfaces. This type of RAM does not lose its content when the router is restarted or powered off. It also provides temporary memory for the configuration file of the router while the router is powered on.RAM Random Access Memory. This flash memory is classified as an EEPROM (Electronically Erasable Programmable Read Only Memory). as well as backups. The purpose of the console is to provide access for configurations. Cisco routers. transceiver modules. and hold queues. this component is dynamic. Click to enlarge: . WAN. hold fast-switching cache. and Console/Aux. This component is upgradeable! NVRAM Nonvolatile RAM is used to store the startup configuration files. It holds the Cisco IOS image file. They can use a combination of transceivers. especially the higher-end models. They can be RJ-45 jacks soldered onto the motherboard. Interfaces The interfaces provide connectivity to LAN. performs packet buffering. the RAM loses content when router is restarted or powered off. It holds information about the systems hardware components and runs POST when the router first starts up. can be configured in many different ways. Store routing tables. Console The console consists of the physical plugs and jacks on the router. or card modules. ROM The ROM performs the same operations as a BIOS. its content changes constantly. A ROM upgrade ensures newer versions of the IOS. The picture below shows the components of a Cisco 804 ISDN router.