Tuesday, March 20, 2007

Advanced Cisco Router Security

Ok, i got to speak a little bit about advanced cisco router security settings. I had been configuring cisco devices since 2002 and when i looked back, i realised that my configuration is not secure at all. There are so many loopholes here and there hanging around. If an attacker were to use a port scanner, then he would be able to actually see all the open ports and services that is present in the router. That's a bad bad configuration by me. Well, every man make mistakes and learn from there onwards. Its 2007 and well, i had learnt my mistakes the hard way, so here is the improve sample configuration from me. However, please note that they are not in order.

1. Practice logging There are a lot of way to perform logging. You can use AAA, syslog and system logging which includes console and vty logins.

2. Use an Authentication Proxy if required If you have an internal server which requires login, you can setup an authentication proxy to make sure users authenticte with the router first before the traffic is allowed into the server. Make sure you setup either a local database or an AAA server for verification of user credentials. This will depend on each organization.

3. Disable Unnecessary services This point here is very important. Never allow services like finger, telnet or snmp if not required. Multiple exploits have been published that can actually compromise the router. So, review your router and check for unwanted services and shut it down.

4. Retrict Access Restrict access like VTY, console, ssh, telnet, etc. I will not mention much about this as it is mentioned with configuration examples in my earlier post.

5. Use autosecure. You can use the auto secure command in in IOS version 12.3 onwards to actually implement router security. This command will enable you to disable CDP finger if not needed. Use this command if you do not know how to configure it manually.

6. Enable the IPS in your router Modern Cisco routers comes with IPS included in the IOS. Enabled it. With IPS enabled, you can log the specific event to a server or drop the packets or forward it to the destination with a reset bit set, if your configuration suspects that this is an attack.

7. Use CBAC This feature allow monitoring of layer 7 protocol like HTTP and FTP. This feature will actually create a session table entry for any connection from any internal users which initiates a connection to the outside world. CBAC can inspect unusual behaviour drop the connection.

8.Use port-to-address mapping (PAM) Use this feature to map to a different port for known services. For example, http runs on port 80, you can actually map it to port 9090. This feature blends well with CBAC.


Anonymous said...

Can anyone recommend the best MSP tool for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central software monitoring
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Jonathan Mcmurry said...

Cisco routers are commonly used to setup networks for businesses. I'm glad that you posted techniques on how to effectively control and manage the security given this router.

For businesses in some parts of the country and in Brantford, network support is a priority. Especially in information driven industries, server support is a core function. Any lost data would translate to big financial losses for the company.

Indeed, security for any network is possible through advanced equipments. Thanks!