Restrict Virtual Console Access
Limiting virtual console access to the IP address range(s) of operations staff and network management hosts is a useful method to prevent unauthorized users from accessing network devices, even if a password is discovered.
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual console:
access-list 12 permit 192.89.55.0 0.0.0.255 line vty 0 4
access-class 12 in
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1rprt2/1rip.htm.
Restrict SNMP Access
Nearly all of the information viewable or configurable via a virtual console can also be accessed via SNMP. Since an SNMP community is essentially a password that does not require a user name, it is essential that you restrict this method of access as completely as possible. Only those hosts with a verified need to perform SNMP writes should have full access.
The following example defines an access list that permits only hosts on network 192.89.55.0 to perform SNMP reads with the community foobar and only the host 192.89.55.132 to perform SNMP writes with the community foobaz:
access-list 12 permit 192.89.55.0 0.0.0.255 snmp-server community foobar RO 12
access-list 13 permit host 192.89.55.132 snmp-server community foobaz RW 13
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_r/frprt3/frmonitr.htm#x tocid1998360.
Enable Session Timeouts
Sometimes operations staff can become distracted or be called away from their systems while logged in to network devices. Automatically disconnecting idle users helps prevent accidental access by
unauthorized users.
The following example sets the real and virtual consoles to automatically disconnect the user after five minutes of inactivity:
line con 0
session-timeout 5 line vty 0 4 session-timeout 5
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_r/drprt1/drtermop.htm#
4907.
Encrypt-configured Passwords
Some passwords, such as those for dialup links or local users, must be stored in the device’s configuration file. Encrypting the passwords stored in the configuration file makes it difficult for a casual observer to determine or remember these passwords if they come into possession of the configuration file.
The following example enables encryption of static passwords in the configuration file:
service password-encryption
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_r/srprt5/srpass.htm#4 899.
Disable minor host services
By default, several services are enabled which either allow an attacker to more easily consume device resources, indirectly attack other hosts, or gain information about operations staff currently accessing the network devices. You can disable these services to prevent malicious use of these services or the information they may provide.
The following example disables these services:
no service tcp-small-servers no service udp-small-servers no service finger
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_r/frprt3/frgenral.htm.
Disable or Restrict the HTTP Server
Web configuration is disabled on most platforms; however, novice network administrators often enable it. If HTTP configuration is not necessary, you should disable it entirely. If disabling the service is not feasible, restrict HTTP access to management addresses.
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the HTTP server:
access-list 12 permit 192.89.55.0 0.0.0.255 ip http access-class 12
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_r/frprt1/frui.htm.
Disable Forwarding of Directed Broadcasts
Directed broadcasts are unicast packets that are addressed to another subnet’s broadcast address. While forwarding these packets has a limited diagnostic value, there is a significant risk in becoming an amplifier in various types of Denial of Service attacks. Cisco IOS versions 12.0 and later disable directed broadcasts by default, but they should be manually disabled on all prior versions.
The following example disables directed broadcasts on interfaces Ethernet0/0 and Serial1/1:
interface Ethernet 0/0 no ip directed-broadcast interface Serial 1/1 no ip directed-broadcast
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1rprt2/1ripadr.htm.
Disable Forwarding of Source-routed Packets
Source-routed packets contain additional hop-by-hop routing information that can supersede what is present in routing tables. Although it was initially intended as a diagnostic tool for network operators, it is not very valuable and can be used to exploit security vulnerabilities.You should disable it on all routers.
The following example disables forwarding of packets containing source-route information:
no ip source-route
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_r/1rprt2/1rip.htm.
Disable RCP and RSH Services
Use the Berkeley Remote Copy (RCP) command to copy files to a device and the Remote Shell (RSH) command to execute commands without logging in. However, be aware that these services have extremely weak authentication and should not be enabled unless no other option (such as SSH support in Cisco IOS version 12.1T) is available.
The following example disables RCP and RSH services:
no ip rcmd rcp-enable no ip rcmd rsh-enable
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_r/frprt2/fraddfun.htm.
Enable Neighbor Authentication
Most common networking protocols provide a means for neighbors to authenticate each other to ensure that unauthorized devices are not allowed to affect the stability or security of the network. These authentication mechanisms prevent casual attempts at disrupting proper operation, but should not be expected to stop a determined attacker.
HSRP
The following example enables the authentication string foobar for HSRP group 21 on interface Ethernet 2/1:
interface Ethernet 2/1
standby 21 authentication foobar
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cip.htm.
Enhanced IGRP
The following example enables the authentication string foobar for EIGRP AS 1 on interface Ethernet 2/1:
key chain baz key 1
key-string foobar interface Ethernet 2/1
ip authentication mode eigrp 1 md5 ip authentication key-chain eigrp 1 baz
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1ceigrp.htm.
OSPF
The following example enables the authentication string foobar for OSPF Area 2 on interface Ethernet 2/1:
interface Ethernet 2/1
ip ospf message-digest-key 1 md5 foobar router ospf 1
area 2 authentication message-digest
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cospf.htm.
IS-IS
The following example enables the authentication strings foobar for Level 1 routes and “foobaz” for Level 2 routes:
router isis
area-password foobar domain-password foobaz
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cisis.htm.
BGP
The following example enables the TCP MD5 authentication string foobar for the connection to neighbor 192.89.55.12:
router bgp 1
neighbor 192.89.55.12 password foobar
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt1/1cbgp.htm.
PPP (leased lines)
PPP CHAP authentication requires neighboring routers to verify each others’ identity over a link before the link can be used for traffic. PPP is typically used over leased lines; however, recent Cisco IOS features allow PPP to be used over ATM and Frame Relay links as well.
The following example enables the PPP CHAP authentication string foobar for routers SJ-WAN and DALLAS-WAN connected via a leased line:
hostname dallas-wan
username sj-wan password foobar interface Serial 2/1
encapsulation ppp ppp authentication chap hostname sj-wan
username dallas-wan password foobar interface Serial 4/3
encapsulation ppp ppp authentication chap
For more information, refer to the following website:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_c/dcppp.htm.
Configure Accurate Time Stamping
Many troubleshooting tasks, such as determining the nature of a Denial of Service attack or tracing attempts to pass through firewalls, involve correlating logs from several devices. Unless the clocks of these devices are synchronized, it is much more difficult to correlate different logs.
Note The details of enterprise-wide NTP design and upstream time sources are beyond the scope of this document.
The following example enables millisecond-precision time stamps in log and debug messages and configures an upstream NTP server at 192.89.55.132:
service timestamps debug datetime msec service timestamps log datetime msec ntp server 192.89.55.132
Refer to the following documents for more information:
• Troubleshooting Commands
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_r/frprt3/frtroubl.ht m
• Performing Basic System Management
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_c/fcprt3/fcgenral.ht m
Syslog server
Logging all system notices and error messages often provides valuable insight into the operational status of network devices. If access list violations are logged, the logs may also be correlated between devices to determine that the network is being probed or that a device has been compromised.
The following example enables logging to a syslog server at 192.89.55.132:
logging 192.89.55.132
Refer tothe following document for more information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/fun_r/frprt3/frtroubl.htm.
IP Accounting
The IP accounting feature provides basic IP traffic statistics functions. By enabling IP accounting, users can see the number of bytes and packets switched through the Cisco IOS software based on a source and destination IP address.
The following example enables IP Accounting on interface Ethernet 2/1:
interface Ethernet 2/1 ip accounting
Refer to the following document for more information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/np1_c/1cprt2/1cip.htm.