8 steps to protect your cisco router
Upcoming SlideShare
Loading in...5

8 steps to protect your cisco router







Total Views
Slideshare-icon Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    8 steps to protect your cisco router 8 steps to protect your cisco router Document Transcript

    • Protect Your Cisco Router by Simple StepsNetwork security is a completely changing area; new devices like IDS(Intrusion Detection systems), IPS (Intrusion Prevention systems), andHoneypots are modifying the way people think about security.Companies are spending thousands of dollars on new security devices,but forgetting the basic, the first line of defense: the border router.Although a lot of people may think that routers don’t need to beprotected, they are completely wrong. A lot of secure problems appearall time against this kind of device and most of them arevulnerable.Some information about some common security problemsfound on Cisco Routers can be read on the text “Exploiting CiscoRouters”, available at:http://www.securityfocus.com/infocus/1734In this article I will give you/There are 8 steps, easy to follow, to minimizeyour Cisco router exposure by turning off some unused services,applying some access control and applying some security optionsavailable on that.Content List1- Control Access to your router;2- Restrict telnet access to it;
    • 3- Block Spoof/Malicious packets;4- Restrict SNMP;5- Encrypt all passwords;6- Disable all unused services;7- Add some security options;8- Log everything;1- Control Access to your routerThe first thing to do is apply some rules to restrict all external access tosome ports of the router. You can block all ports, but it is not alwaysnecessary. These commands bellow will protect your router againstsome reconnaissance attacks and, obviously, will restrict access to theseports:access-list 110 deny tcp any host $yourRouterIPeq 7access-list 110 deny tcp any host $yourRouterIPeq 9access-list 110 deny tcp any host $yourRouterIPeq 13access-list 110 deny tcp any host $yourRouterIPeq 19access-list 110 deny tcp any host $yourRouterIPeq 23access-list 110 deny tcp any host $yourRouterIPeq 79int x0/0access-group in 110Where $your router IP is your router IP and x0/0 is your external interface.
    • We will always use this convention in this article.2- Restrict telnet access to itTelnet is not a very safe protocol to use, but if you really need to use it(you should always use ssh) you might want to restrict all access to it(remember that all your traffic will be unencrypted). The best way toaccomplish that is using a standard access-list and the access-classcommand.access-list 50 permit 50 deny any loglinevty 0 4access-class 50 inexec-timeout 5 0Where is the IP address allowed to telnet the router3- Block Spoof/Malicious packetsYou must never allow loopback/reserved IP address from the Internetreach your externalinterface and you can reject broadcast and multicast addresses too.access-list 111 deny ip anyaccess-list 111 deny ip anyaccess-list 111 deny ip a
    • access-list 111 deny ip aaccess-list 111 deny ip host anyaccess-list 111 deny ip 111 deny icmp any any redirectint x0/0access-group in 1114- Restrict SNMPSNMP must always be restrict, unless you want some malicious persongetting a lot of information from your network ☺access-list 112 deny udp any anyeqsnmpaccess-list 112 permit ip any anyinterface x0/0access-group 112 inAnd if you are not going to use SNMP at all, disable it:nosnmp-server5- Encrypt all passwordsA very important thing to do is protect all your passwords using thepowerful algorithm as possible. The password from exec mode, thatgrants privileged access to the IOS system, can be set using a MD5 hash,which is the strongest option available on the Cisco IOS.
    • Enable secret $yourpasswordAll other passwords, you can encrypt using the Vigenere cipher that isnot very strong, but can help. To do that, you can use the servicepassword-encryption command that encrypts all passwords present inyou system.Service password-encryption6- Disable all unused services6.1 - Disable Echo, Chargen and discardno service tcp-small-serversno service udp-small-servers6.2 - Disable fingerno service finger6.3 - Disable the httpd interfacenoip http server6.4 - Disable ntp (if you are not using it)ntp disable
    • 7- Add some security options7.1 - Disable source routingnoip source-route7.2 - Disable Proxy Arpnoip proxy-arp7.3 - Disable ICMP redirectsinterface s0/0 (your external interface)noip redirects7.4 - Disable Multicast route Cachinginterface s0/0 (your external interface)noipmroute-cache7.5 - Disable CDPnocdp run7.6 - Disable direct broadcast (protect against Smurf attacks)noip directed-broadcast
    • 8- Log everythingTo finish, you must log everything on an outside Log Server. You musteverything from all your systems and always analyze the logs.logging trap debugginglogging is the ip of your log server (configured as a Syslogserver)ConclusionWith these simple steps you can add a lot of security to your router,protecting it against a lot of possible attacks, increasing your networksecurity.Only as an example, you can see the nmap result before and afterapplying these options:Before:Bash-2.05b# nmap -O nmap V. 3.00 (www.insecure.org/nmap/ )Interesting ports on ( State Service7/tcp open echo9/tcp open discard
    • 13/tcp open daytime19/tcp open chargen23/tcp open telnet79/tcp open finger80/tcp open httpRemote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS11.3.6(T1), Cisco IOS 11.3 - 12.0(11)After:Bash-2.05b# nmap -P0 -O nmap V. 3.00 (www.insecure.org/nmap/)Warning: OS detection will be MUCH less reliable because we did notfind at least 1 open and 1 closed TCP portAll 1601 scanned ports on ( are: filteredToo many fingerprints match this host for me to give an accurate OSguessNmap run completed -- 1 IP address (1 host up) scanned in 403 secondsMORE NOTES: Opening Ports on a Cisco Router to Allow ExchangeServer to WorkMore Cisco news and info of Cisco network hardware you can visit:http://blog.router-switch.com/