Securing Cisco Routers

Routers role in security
  • advertise networks and filter who can use them
  • provide access to network segment and subnetworks

Routers can be attacked in these puposes:
  • compromising the access control can expose network configuration details, facilitating attacks against other network components.
  • compromising the route tables can reduce performance, deny network communication services and expose sensitive data.
  • misconfiguring a router traffic filter can expose internal network components to scans and attacks, making it easier for attackers to avoid detection.

Securing routers at the network perimeter is an important first step in securing a network.
some concerns securing a router:
  • physical security
  • update router IOS whenever possible
  • backup router configuration and IOS
  • harden the router to eliminate the potential abuse of unused ports and services

some steps securing a router
1. manage router security
use strong password, to avoid the expose of passwords use "enable secret" instead of "enable password". secret means the password is encrypted using md5 (type 5). while entering the global command "service password-encryption" will encrypt passwords with simple algorithm, which cisco called type 7. cisco recommends type 5 than type 7.

2. secure remote administrative access to routers
remote access to routers is preffered when there are so many routers and switches. security should be controlled for VTY, TTY (asynchronous access through modem) and AUX lines. ensure that connections through those lines require password.
You can PREVENT CONNECTION to any line by entering the command "login" and "no password".
VTY line can be configured to receive just connections that are using the specified protocol. use the command "transport input". for example to allow VTY connection using SSH only enter the command "transport input ssh".
cisco IOS device has a limit number of VTY lines, usually 5. this can be DoS attacked. to avoid this, you can configure one of the VTY line to be set just accept connection from a single, specific administrative workstation. this is achieved by using ACL and "ip access-class" command at the line configuration. other way is to set VTY timeouts using the "exec-timeout" command. this will close idle connections passed the time configured.
Other concern is to encrypt traffic of the remote connections. to achieve this use SSH instead of telnet. not all cisco images support SSH. cisco routers can act as a SSH client and server, by default both mode are enabled when SSH is enabled.

3. logging router activity
logging can give you records of what has happened to a router. a log can be saved to the router memory or to a log host. a log host is preferable because it provides a central place for logging. logging can be one of eight levels, with level 7 means the system is unstable and will include all router information. logs should be reviewed regularly, this will give you the sense of your usual network activity. you may also want to use the NTP to get the time of the events, this makes troubleshooting easier.

4. sercure vulnerable router services and interfaces
Cisco routers support some network services. these services sometimes are good for nothing. General security practice for routers is to configure the router to only support needed traffic and services. You can entirely disabled a service on a router or restricting its access. if a particular portion of a network segment needs a service but the rest doesn\ not, the restriction features should be employed to limit the scope of the service. Some services that is recommended to be disabled are:
  • TCP small servers
  • UDP small servers
  • CDP (if there are some IP phone, consideration should be taken before turning off this service)
  • Finger
  • HTTP server
  • Proxy ARP
  • IP Mask reply, etc..
commands needed to turn off a service usually started with the "no" command followed by the service name, for example:
no service tcp-small servers
no ip http server
no cdp run

some services that should be secured if needed are:
  • SNMP, use versions 3. version 1 and 2 pass managemenet information and password in clear text
  • NTP, to reject NTP message at a particular interface, use an access-list
  • DNS, name queries are sent to broadcast address, fake name server could reply to a query. Explicitly specify the name server addresses using the command
ip name-server addresses

5. secure routing protocols
Routers are also at risk from attacks. Anyone with a packet sniffer can read information propagating between routers. Two kinds of attack in general:
  • Disruption of peers
  • Falsification of routing information

disruption of peers is less critical, because routing protocol can heal themselves, getting backup route. Falsification of routing information is done by giving false routing update to a router. this can be protected by authenticating routing protocol information. Authentication through MD5 consists of 3 key elements, the key (similar to a password), the data and the signature (result of the combination of the key and the data through MD5 algorythm). RIPv2, EIGRP, OSPF, IS-IS and BGP support various forms of MD5 authentication.

securing RIPv2 routing protocol
step 1. Prevent RIP routing update propagation. First set ALL INTERFACES in a router into passive mode. Then bring up only those interfaces that are required for sending and receiving RIP updates. Passive interface receives updates but does not send them.
passive-interface default

that command entered at the global level configuration will disable routing advertisements on all interfaces. to bring up a particular interface enter the command enter the command
no passive-interface serial0/0/0

that command will bring up interface serial0/0/0 to send routing updates.

step 2. Prevent Unauthorized Reception of RIP Updates. This can be done by setting up MD5 authentication to routing updates. To enable the encryption, first you must create a key for the md5 and then apply each interface participating in routing updates to send encrypted updates. The commands to create MD5 key are:
key chain RIP_KEY
key 1
key-string cisco

"key chain RIP_KEY", will create a key named RIP_KEY. we can create multiple key, but in the example "key 1" is used to create the key 1, "key-string cisco" tells that key 1 is contain a key string "cisco".

the commands to implement MD5 authentication on an interface are (entered at interface level configuration):
ip rip authentication mode md5
ip rip authentication key_chain RIP_KEY

the command "ip rip authentication mode md5" tells that rip will use md5 authentication while "ip rip authentication key_chain RIP_KEY" tells to use the RIP_KEY that has been created.

step 3. Verify the Operation of RIP Routing. this is done to check wether routing updates are propagated properly. This can be done with the "show ip route" command.

securing EIGRP routing protocol. the steps are similar to RIP steps (create key chain, apply authentication mode to interfaces). the difference is on the applying the authentication mode to an interface. the commands to configure md5 authentication in eigrp process 1 are:
key chain EIGRP_KEY
key 1
key-string cisco

interface s0/0/0
ip authentication mode eigrp 1 md5
ip authentication key-chaing eigrp 1 EIGRP_KEY

securing OSPF routing protocol. The logic of the steps is still the same with RIP and EIGRP. But the commands are different. the commands to configure md5 authentication on ospf process 10 area 0 are:
interface s0/0/0
ip ospf message-digest-key 1 md5 cisco
ip ospf authentication message-digest

router ospf 10
area 0 authentication message-digest

6. control and filter network traffic

Cisco provides an auto secure to enable you to use a single command to disable processes and services not needed. you can enter the command "auto secure" at privileged EXEC mode. this command has two modes, interactive mode and non-interactive mode. with interactive mode you'll be asked several question to enable or disable services and other security feature. Non-interactive mode will auto configure the router with the recommended Cisco default settings. default mode is interactive mode.