Cisco Router/Switch Hardening

Southern Colorado Cisco Users Group
April 14, 2003
Cisco Router/Switch Hardening
Southern Colorado Cisco Users Group
April 14, 2003
William H. Gilmore | Scott R. Hogg
International Network Services
%he knowledge behind the network.
First HaIf
What and why
Booting & Banners
Keeping Time and Logging
Services Need & Not Needed
Interface Hardening
S0cond HaIf
Cisco IOS Firewall
SNMP Vulnerabilities
Securing Routers/Switches
Non-Cisco Security Tools
Qu0stions & nsw0rs
%he knowledge behind the network.
Rout0r/Switch Hard0nin
What is hard0nin
Controlling Access
Eliminating undesired traffic
Minimizing susceptibility to attacks
Why do I n00d it
Control who can access what when
Optimize device reliability and efficiency
Eliminate the possibility of many well known attacks to
improperly configured devices
Minimize the effectiveness of unpreventable attacks (DDOS)
%he knowledge behind the network.
Provid0 password prot0ction
Confiur0 priviI00 I0v0Is
Limit r0mot0 acc0ss
Limit IocaI acc0ss
DispIay Ioin bann0r
Confiur0 SNMP
Confiur0 Ioin and NTP
Provid0 oth0r prot0ction m0chanisms
Provid0 anti-spoofin
Mitiat0 D0niaI of S0rvic0 attacks
V0rify th0 confiuration
%he knowledge behind the network.
dditionaIIy, on0 shouId incIud0 th0 foIIowin in
th0ir m0thodoIoy.
Remove all services not needed
Enable strong passwords on all interfaces
Limit management capabilities
Don't tak0 anythin for rant0d
Audit yourself before someone else does
%he knowledge behind the network.
Let's start at the beginning
D0fauIt b0havior
boot flash
boot rom
ExpIicitIy d0fin0 which softwar0 ima0 to b0 run
boot system flash c3640-js-mz.122-10a.bin
boot system rom
%he knowledge behind the network.
LittI0 L0aI0s0 PI0as0
our rout0r is pubIic domain unI0ss you post No
Tr0spassin Sins
If you cannot id0ntify
What occurred
th0n I0aIIy. it didn't
%he knowledge behind the network.
bann0r Ioin
bann0r motd ^C
banner motd ^C
This is a private computer network and may be used only by
direct permission of its owner(s). The owner(s) reserves the
right to monitor use of this network to ensure network
security and to respond to specific allegations of misuse.
Use of this network shall constitute consent to monitoring
for these and any other purposes. In addition, the owner(s)
reserves the right to consent to a valid law enforcement
request to search the network for evidence of a crime stored
within this network.
%he knowledge behind the network.
Tim0 Synchronization
Do you know what tim0 it is
&s0 NTP to synchroniz0 th0 rout0rs cIock to a
hih-I0v0I NTP S0rv0r
Stratum 1 GPS radio
Stratum 1 or 2 clock from ISP or NIST
Review for NTP info
&s0 NTP uth0ntication
clock timezone MST -7
ntp authentication-key 1 md5 <SECRETKEY>
ntp authenticate
ntp update calendar
ntp server
%he knowledge behind the network.
Loin - Who's th0 HaII Monitor
&s0 s0rvic0 tim0stamps
service timestamps debug datetime
service timestamps log datetime msec localtime
Confiur0 sysIo s0rv0r(s)
logging facility local7
D0cid0 what to Io
logging trap informational
logging console warnings
D0cid0 wh0r0 to Io from
logging source-interface loopback0
Buff0r thos0 m0ssa0s
logging buffered 4096
%he knowledge behind the network.
Tunin th0 IP stack
NaI0 con0stion controI aIorithm
service nagle (See RFC 896)
Limit 0mbryonic TCP conn0ctions
ip tcp synwait-time 10 (30 seconds default)
th0r sp0ciaI cas0s
ip tcp window-size 2144 (RFC 1323 )
ip tcp selective-ack (See RFC 2018)
%he knowledge behind the network.
Tunin th0 CP&
uarant00 CP& tim0 for vitaI
scheduler-interval 500 (500 milliseconds)
Mor0 ranuIar on Cisco 7200 & 7500 pIatforms
scheduler allocate 500 100
(500 microseconds per clock cycle on fast-packet switching)
(100 microseconds per clock cycle on processes switching)
%he knowledge behind the network.
S0rvic0s - N00d0d
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime localtime
%he knowledge behind the network.
S0rvic0s - Not N00d0d
no cdp run (be careful)
no boot network (older command)
no service config
no ip source-route
no service finger (older command)
no ip finger
no ip identd
no service pad
no service tcp-small-servers
no service udp-small-servers
no ip bootp server
no snmp-server (more on this later)
no tftp-server
%he knowledge behind the network.
Int0rfac0 Hard0nin
no cdp enable
ip accounting access-violation
no ip directed-broadcast
no ip redirects
no ip unreachables
no ip mask-reply
no ip proxy-arp
no mop enabled
%he knowledge behind the network.
CL - 0n0raI
access-list 1 permit
Ext0nd0d with r0mark
access-list 100 remark telnet access list
access-list 100 permit tcp host telnet
access-list 200 permit 0x0000 0x0d0d
ip access-list standard allow-telnet
remark machine from which telnet is accepted
%he knowledge behind the network.
CL - Tim0 Bas0d
access-list 100 remark Jnly allow IP traffic during
open hours
access-list 100 permit ip any any time-range only-
time-range only-during-open-hours
absolute start 00:00 01 January 2002
periodic weekdays 7:30 to 18:30
periodic Saturday 8:30 to 13:30
periodic Sunday 8:30 to 18:30
%he knowledge behind the network.
CL - Lock & K0y
interface ethernet0
ip address
ip access-group 101 in
access-list 101 permit tcp any host eq
access-list 101 dynamic mytestlist timeout 120 permit
ip any any
line vty 0
login local
autocommand access-enable timeout 5
%he knowledge behind the network.
CL - TCP Int0rc0pt
Syn FIood Prot0ction for S0rv0rs
Two Mod0s
Watch ÷ Watches and terminates incomplete connections.
Intercept ÷ Attempts to complete connection with client on
behalf of server. If successful, creates a connection to
server. If unsuccessful, closes connection to client.
access-list 120 remark Web Servers
access-list 120 permit tcp any
ip tcp intercept list 120
ip tcp intercept mode watch
ip tcp intercept connection-timeout 60
ip tcp intercept watch-timeout 10
ip tcp intercept one-minute low 1500
ip tcp intercept one-minute high 6000
%he knowledge behind the network.
CL - R0fI0xiv0
interface Serial 1
description Access to the Internet via this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
ip reflexive-list timeout 120
ip access-list extended outboundfilters
permit tcp any any reflect tcptraffic
ip access-list extended inboundfilters
permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic
%he knowledge behind the network.
CL - R0v0rs0 Path Forward
ip cef distributed
int eth0/1/1
ip address
ip verify unicast reverse-path 197
int eth0/1/2
ip address
access-list 197 deny ip any log-input
access-list 197 permit ip any log-input
access-list 197 deny ip any log-input
access-list 197 permit ip any log-input
access-list 197 deny ip host any log
%he knowledge behind the network.
CL - Wh0r0 ICMP is N00d0d
ICMP is us0d to d0t0rmin0 th0 MT& for a TCP
access-list 110 permit icmp any any packet-too-big
To aIIow outbound ICMP, us0
access-list 102 permit icmp any any
access-list 102 permit icmp any any
access-list 102 permit icmp any any
access-list 102 deny icmp any any log
To aIIow outbound &NIX/Cisco Trac0rout0
access-list 102 permit udp any any range 33400 34400 log
%he knowledge behind the network.
CL - Turbo
Turbo CLs introduc0d in 12.1.5T
for hih-0nd Cisco rout0rs
Time taken to match the packet is fixed
Latency of the packets is smaller and, more importantly, consistent
Allows better network stability and more accurate transit times.
Proc0ss0s CLs mor0 0ffici0ntIy
access-list compiled
show access-list compiled
%he knowledge behind the network.
Limit Traffic To th0 Rout0r
Limit traffic that can t0rminat0 at rout0r
nIy aIIow traffic to th0 rout0r that shouId
t0rminat0 on th0 rout0r
nIy aIIow traffic throuh th0 rout0r that is
sourc0d from or d0stin0d to known
%he knowledge behind the network.
Limit Traffic Throuh th0 Rout0r
K - nti-Spoofin RuI0s
nti-spoofin is us0d to pr0v0nt your rout0r from
transmittin data for addr0ss patt0rns that don't
mak0 s0ns0
Inbound to address not within your network.
Inbound from addresses that should be
within your network
Inbound from non-assigned addresses
Outbound from RFC 1918 Private
Outbound from addresses not within your
%he knowledge behind the network.
nti-spoofin CL
! RFC l9l8 private networks
access-list l00 deny ip l0.0.0.0 any
access-list l00 deny ip l72.l6.0.0 0.l5.255.255 any
access-list l00 deny ip l92.l68.0.0 any
! Historical Broadcast
access-list l00 deny ip host any
! Loopback (IANA)
access-list l00 deny ip l27.0.0.0 any
! unassigned address space
access-list l00 deny ip l28.0.0.0 any
! linklocal (IANA)
access-list l00 deny IP l69.254.0.0 any
! (l9l/8 emergency yet used)
access-list l00 deny ip l9l.255.0.0 any
! Net root LV lab (IANA)
access-list l00 deny IP l92.0.0.0 any
! Example network (IANA)
access-list l00 deny IP l92.0.2.0 any
! ????
access-list l00 deny ip any
! Multicast Addresses
access-list l00 deny ip l5. any
! Reserved Class E
access-list l00 deny ip l5.255.255.255 any
! Explicit Deny
access-list l00 deny ip any any log
%he knowledge behind the network.
%he knowledge behind the network.
Cisco IS Fir0waII
Part of th0 Cisco S0cur0 product
S0curity-sp0cific option for Cisco
IS softwar0
Int0rat0s robust fir0waII
functionaIity and intrusion
d0t0ction for 0v0ry n0twork
Enrich0s 0xistin Cisco IS
s0curity capabiIiti0s
dds r0at0r d0pth and fI0xibiIity to
0xistin Cisco IS s0curity
%he knowledge behind the network.
Cisco IS Fir0waII - Info
Supported Hardware
Cisco 1700, 2600, 3600, 7100, 7200, 7500, and RSM
Supported Functionality
Context-Based Access
Control (CBAC)
Java blocking
Denial-of-service (DoS)
detection and prevention
Real-time alerts
Audit trail
Authentication proxy (for
dynamic, user-based
authentication and
Intrusion detection
Dynamic port mapping
Simple Mail %ransfer
Protocol (SM%P) attack
detection and prevention
Configurable alerts and
audit trail
IP fragmentation attack
application support
%he knowledge behind the network.
Cont0xt-Bas0d cc0ss ControI
s0riaI 0
0th0rn0t 0
utsid0 Int0rfac0
cc0ss-List bIockin
aII inbound traffic to
b0 insp0ct0d by
Insid0 Int0rfac0
cc0ss-List aIIowin
aII acc0ptabI0 traffic
outbound, incIudin
traffic to b0 insp0ct0d
by CBC
%he knowledge behind the network.
IS Fir0waII ExampI0
interface Serial0/0
ip access-group in
ip inspect myfw in
ip auth-proxy mywebproxy
access-list permit tcp any any eq www
access-list permit tcp any any eq smtp
access-list deny ip any any
ip inspect name myfw http timeout 3600
ip inspect name myfw smtp timeout 3600
ip auth-proxy name mywebproxy http
ip http authentication aaa
ip http server
%he knowledge behind the network.
SimpI0 N0twork Mana0m0nt ProtocoI
&biquitous support
Clear text Community Strings
Security the same as SNMPv1 ÷ just a feature upgrade
Hierarchical Network Management
Get-bulk and Inform operators added
New PD& format for traps introduced
64 bit counters (32 bit used for SNMPv1)
Encrypted user-based authentication and data
View-Based Access Control Model (VACM)
%he knowledge behind the network.
SNMP VuIn0rabiIiti0s
C0rt/CC SNMP dvisory
Issued Feb 12
, 2002 (CA-2002-03)
SNMP impI0m0ntations Iack boundary ch0ckin
and 0rror handIin which I0ads to buff0r ov0rfIows
Bounc0 attacks
Known 0xpIoits 0xist and ar0 pubIiciz0d
DS attacks for rout0rs, wir0I0ss Ps, Windows,
and print0rs
ppIy v0ndor patch0s promptIy aft0r t0stin
Consid0r turnin SNMP off wh0r0 its not n00d0d
ControI your s0curity p0rim0t0r
%he knowledge behind the network.
S0curin SNMP
S0tup SNMP Community with an acc0ss-Iist
no snmp community public
no snmp community private
access-list 1 permit
snmp-server community hard2guess ro 1
snmp-server enable traps snmp authentication
S0tup SNMP Informs
snmp-server enable traps
snmp-server host informs version 2c public
S0tup SNMP Vi0w
SNMP view command can block the user with only access to
limited Management Information Base (MIB) information.
snmp-server view MyView ifEntry.·.1 included
snmp-server community hard2guess view MyView ro 1
%he knowledge behind the network.
S0curin SNMP (cont.)
S0tup SNMP V0rsion 3
snmp-server user user1 grp1 v3
snmp-server user user2 grp2 v3
snmp-server user user3 grp3 v3 auth md5 pass3
snmp-server user user4 grp4 v3 auth md5 pass4 priv des56 user4priv
snmp-server group grp1 v3 noauth
snmp-server group grp2 v3 noauth read myview
snmp-server group grp3 v3 auth
snmp-server group grp4 v3 priv
snmp-server view myview mib-2 included
snmp-server view myview cisco excluded
snmp-server community hard2guess RJ 10
%he knowledge behind the network.
B0for0 d0cidin how to controI rout0r acc0ss, ask
th0s0 qu0stions
Who needs access?
When do they need access?
From where do they need
During what time schedule
do they need access?
%he knowledge behind the network.
Basic uth0ntication
Basic auth0ntication stor0s passwords
as cI0ar t0xt
&s0 service password-encryption
Encrypts passwords using a Vigenere cipher.
Can be cracked relatively easily
Does not encrypt SNMP community strings
no enable password
&s0 enable secret <password>
Encrypts passwords using a MD5 hash
%he knowledge behind the network.
Lin0 uth0ntication (VT, CN, &X)
&s0 cc0ss List to controI VT acc0ss
access-list 1 permit host
line vty 0 4
password 7 12552D23830F94
exec-timeout 5 0
access-class 1 in
transport input telnet ssh
ControI CN acc0ss
line con 0
password 7 12552D23830F94
exec-timeout 5 0
ControI &X acc0ss
line aux 0
no exec
exec-timeout 0 0
no login
transport input none
transport output none
%he knowledge behind the network.
S0cur0 Sh0II (SSH)
SSH is r0comm0nd0d ov0r T0In0t
crypto key generate rsa
. . . ¯2048` . . .
ip ssh time-out 300
ssh authentication-retries 2
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
username joe password 7 28538539654412
line vty 0 4
transport input none
transport input ssh
show crypto key mypubkey rsa
show ip ssh
% ssh -c des
%he knowledge behind the network.

S0cur0 us0r Ioins with on aII ports, virtuaI
and physicaI
Local AAA (username)
RADI&S (Steel Belted Radius)
TACACS+ (Cisco Secure ACS)
&s0 priviI00 I0v0Is to controI ranuIar acc0ss to
%he knowledge behind the network.
ExampI0 for TCCS/RDI&S
S0cur0 us0r Ioins with on aII ports, virtuaI and physicaI
aaa new-model
aaa authentication login default group tacacs+|radius local
aaa authorization exec default group tacacs+|radius local
username backup privilege 7 password 0 backup
tacacs-server host
tacacs-server key cisco
radius-server host
radius-server key cisco
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure
%he knowledge behind the network.
HTTP S0rvic0
Th0r0 hav0 b00n known vuIn0rabiIiti0s (buff0r
ov0rfIows) in th0 HTTP s0rvic0
Don't turn HTTP S0rvic0s on unI0ss absoIut0Iy
Mayb0 d0sirabI0 for som0 n0w switch hardwar0
If us0d s0cur0 th0 acc0ss with an CL
no ip http server
ip http access-class ACL#
ip http authentication {aaa|enable|local|tacacs}
ip http port Number
%he knowledge behind the network.
Routin ProtocoI VuIn0rabiIiti0s
Routin protocoIs d0aI with r0-routin around physicaI
faiIur0s and ar0 not robust 0nouh to prot0ct aainst
Intended for friendly environments
Rout0rs adv0rtis0 th0ms0Iv0s by chattin on th0
Routers show themselves
&pdates, CDP, HSRP, VRRP
Typ0s of ttacks
Routing Disruption Attacks
Dynamic routing protocols can be exploited
Traffic could then be re-routed (Transitive Community Modification)
Routing loop, black-hole, gray-hole, detour, asymmetry, partition
Resource Consumption/Saturation Attacks
njection of extra updates, route requests, or traffic
Magnified by the presence of loops or detours
Buffer Overflow Attacks
%he knowledge behind the network.
BP-4 VuIn0rabiIiti0s
BP-4 p00rs shar0 updat0s b0tw00n th0m
Assumption is made that peer has authority to send the update and has a
correct AS-path
Possible to advertise prefix/AS/Path maliciously
BP-4 p00rs must b0 0xpIicitIy confiur0d
This limits the threat of a rogue router
Masquerading can still be possible
Privat0 p00rin poIici0s ar0 s0cr0t
No authorization for advertisements
BP Intrud0rs
Subverted BGP speakers, unauthorized BGP speakers, masquerading
BGP speakers, subverted links
Re-direct traffic for man-in-the-middle attacks or impersonation
n0 must r0Iy on th0 fiIt0rs and routin poIicy to ch0ck what
a p00r is s0ndin
BIackHat tooIs 0xist and rumors of oth0rs spr0ad
n0 bad appI0 can ruin th0 whoI0 barr0I
%he knowledge behind the network.
Routin ProtocoI S0curity
&s0 distribut0-Iists to controI routin updat0s
&s0 static rout0s wh0n s0curity is important and
conn0ctivity is n00d0d
Business partners
Consid0r pIacin int0rfac0s in passiv0
passive-interface FastEthernet0/0
&s0 ut-of-Band (B) mana0m0nt to h0Ip
handI0 DoS attacks
%he knowledge behind the network.
uth0ntication for Dynamic Routin
ProtocoI &pdat0s
Don't just rout0 by rumor
Mak0 sur0 you know to whom you ar0 0xchanin
&s0 auth0ntication m0chanisms for RIP V2, SPF,
Pr0-Shar0d-S0cr0t k0ys stiII hav0 issu0s
Plain-text keys can still be sniffed
&se service password-encryption
Departed employees
&s0 0ncrypt0d (MD5) passwords wh0n0v0r possibI0
Don't hoId your br0ath for PKI/diitaI c0rtificat0s
FoIIowin sIid0s contain 0xampI0s
%he knowledge behind the network.
MD5 for RIPv2
Configuration Example:
key chain rabbitsfoot
key 1
key-string RIPpasswd
interface Loopback0
ip address
interface Serial0
ip address
ip rip authentication mode md5
ip rip authentication key-chain rabbitsfoot
router rip
version 2
%he knowledge behind the network.
MD5 for SPF
%he following are the commands used for message
digest authentication:
ip ospf message-digest-key keyid md5 key
area area-id authentication message-digest
Configuration example:
interface Ethernet0
ip address
ip ospf message-digest-key 1 md5 5 mypassword
router ospf 10
network area 0
area 0 authentication message-digest
%he knowledge behind the network.
MD5 for EIRP
Configuration Example:
Interface FastEthernet0/0
ip address
ip authentication mode eigrp md5
ip authentication key-chain eigrp holly
key chain holly
key 1
key-string 123456
accept-lifetime infinite
router eigrp
no auto-summary
passive-interface default
no passive-interface FastEthernet0/0
%he knowledge behind the network.
MD5 for BP
Configuration example:
%he following example specifies that the router and its BGP peer
at invoke MD5 authentication on the %CP connection
between them:
router bgp 109
neighbor password mypasswd
Enable route dampening to minimize instability due to route
flapping (RFC 2439)
router bgp 109
bgp dampening
show ip bgp flap-statistics
BGP Filtering
ilter for Bogons
Use Communities
%he knowledge behind the network.
HSRP VuIn0rabiIiti0s
HSRP vuIn0rabiIiti0s ar0 pubIiciz0d
uth0ntication strin is in cI0ar-t0xt
Cod0 has b00n writt0n to spoof HSRP pack0ts
ttack0rs s0nds "coop" and pr0-0mpts oth0r HSRP
rout0rs to assum0 th0 "activ0" roI0
&s0d for DoS or Man-in-th0-middI0 attack
Mitiation throuh confiuration and us0 of IPS0c
Set the standby priority to 255 on your routers
&se IP addresses X.X.X.254, .253 for the legitimate router
IPs so they take precedence over the attacker
%he knowledge behind the network.
PIan with s0curity in mind
ood D0sins simpIify s0curity
KIS PrincipI0 - K00p It SimpI0
IsoIat0 D0fauIt VLNs from Trunks
'1 ÷ The Dead '
' 1001÷1005 : The Dead Technology '$
Lay0r 2 - Start Thins ut Riht
%he knowledge behind the network.
Lay0r 2 - VuIn0rabiIiti0s
VLN Hoppin
Modify tags on a trunked port
How to Mak0 a Switch ct Lik0 a Hub
Flood as switch with random MAC Addresses
Forces switch to flood all packets to all ports
N0twork Sniffin with Switch Port
Requires arp spoofing tool with bridging software
Send continuous arp replies to client on part of server
convincing client that the interceptor is the server
Bridges traffic between client and server to insure
apparently normal communication flow
%he knowledge behind the network.
Lay0r 2 - Basic Pr0v0ntion
Mana0m0nt VLN
Change default to a randomly selected that is the same
across all switches
Do not place users on '
ExpIicitIy confiur0 ports
set port host <mod/port>
Turn trunking off / Turn portfast on
EnabI0 Port L0v0I S0curity
DisabI0 unus0d ports
set port disable <mod/port>
Turn on BPD& uard
set spantree portfast bpdu-guard enable
%he knowledge behind the network.
Lay0r 2 - Mor0 dvanc0 Pr0v0ntion
VTP - VLN Trunkin ProtocoI
AKA - The Cisco Layer 2 Hackers Favorite DOS Tool!
Intended to maintain VLAN consistency
Risky to use under normal conditions
Set all switches to VTP Transparent Mode
DTP - Dynamic Trunkin ProtocoI
The Question - To Trunk or Not to Trunk
Can be manipulated to access all VLANS without the
need for a router
Set DTP ON/ON for all trunk ports
Set DTP OFF/OFF for all non-trunk ports
%he knowledge behind the network.
Non-Cisco s0curity tooIs
Nmap - !ort scanning & fingerprinting
Ndiff - Compares nmap output for diffs
N0tcat - pening sockets & port
N0ssus - 'ulnerability scanner
Ncat - valuates configs against the
"$ecure $ Template¨
%he knowledge behind the network.
S0cur0 IS T0mpIat0, Rob Thomas
Rout0r S0curity Confiuration uid0, NS
Incr0asin S0curity on IP N0tworks, Cisco
Improvin S0curity on Cisco Rout0rs
%he knowledge behind the network.
Contact Information
William H. Gilmore
Scott R. Hogg