Posted by: rolande | June 22, 2007

Best Practices for Securing a Choke Router

The following contains commented examples of global and interface configurations for a Cisco router that acts as a “choke” device on the inside or outside of Cisco Core Routers a true firewall device. The ! signifies a commented line in Cisco’s notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router.

The information supplied in this configuration is in no way guaranteed
or supported by the author to “secure” your network. This is meant to provide an example of generally accepted configuration practices when securing routers that provide access to untrusted networks.


DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!

The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.

Use this information at your own risk!

Scott S. 2007


Recommended Global and Interface Configurations

  1. Disable all non-essential services and features
    • no service pad
      no ip finger
      no ip bootp server
      no ip source-route
      no cdp run (if you don't need cdp on any interface)
      no service config

       

    • IOS versions 12.x and higher auto disable certain features like tcp-small-servers; udp-small-servers; and ip http-server

     

  2. Enable global security features
    • service password-encryption (automatically encrypts configured passwords)
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service tcp-keepalives-in
      logging buffered <50000> debugging
      logging console warnings (if you don't log, you can't trace problems)
      enable secret <password> (enables the strongest password encryption on the enable password)
      username admin password 7 <###########################>

     

  3. Disable the following features per interface
    • no ip redirects
    • no ip unreachables
    • no ip directed-broadcast
    • no ip mask-reply
    • no ip proxy-arp
    • no cdp enable (for exterior facing interfaces)
    • make sure all other interfaces not being used are administratively shutdown

     

  4. Enabling additional features
    • ip subnet-zero (enables networks on the 0 boundary)
      ip classless (allows for CIDR route lookups)
      
      If you are using the IOS Firewall/IDS Feature Set...
      ip inspect max-incomplete low 100
      ip inspect max-incomplete high 300
      ip inspect dns-timeout 8
      ip inspect tcp idle-time 7200
      ip inspect tcp finwait-time 8
      ip inspect tcp max-incomplete host 100 block-time 1
      ip inspect name Internet tcp alert on audit-trail on timeout 7200
      ip inspect name Internet udp alert on audit-trail on timeout 60
      ip inspect name Internet http alert on audit-trail on timeout 120
      ip inspect name Internet smtp alert on audit-trail on timeout 30
      ip inspect name Internet ftp alert on audit-trail on timeout 120
      ip inspect name Internet fragment maximum 250 timeout 15
      ip audit attack action alarm drop
      ip audit notify log
      ip audit po max-events 50
      ip audit protected x.y.z.0 to x.y.z.255
      ip audit smtp spam 100
      ip audit name Internet attack action alarm drop
      
      enable access-lists, inspect rules, and audit rules per interface as necessary to restrict the
      traffic to only required communication (see the links above for info regarding access-list
      configuration)
      
      interface fastethernet 1/0
      ip access-group 101 out
      ip access-group 102 in
      ip inspect Internet out
      ip audit Internet in

       

    • clock timezone <cst -6> (an accurate clock makes security logs more useful with timestamps)
    • clock summer-time <cdt> recurring
    • NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries
      ntp update-calendar
      ntp server <ip address of a high stratum synchronized ntp server>
      ! Public NTP Servers
      ntp peer <ip address of local peer device>

       

    • If SNMP is a requirement…snmp-server community <string> RO 10 (secures snmp control by access list 10)Otherwise use…
      no snmp-server

       

    • Add ip addresses of only the hosts that need snmp access to the router to access-list 10
    • Use the banner command to state the obvious precuations upon login as a legal disclaimer
      banner motd ^CC
      
                                       Property of
                                    Your Company Name
                               Unauthorized Use Prohibited
      
                              For more information, contact:
      
      ^C

       

    • Console configuration – use exec-timeout to logout idle users after 5 minutes
      line con 0
       exec-timeout 5 0
       password 7 <######>
       login authentication no_tacacs !if you are using aaa commands
       login local
       transport input none
      line aux 0
       exec-timeout 5 0
       password 7 <#######>
       login authentication no_tacacs !if you are using aaa commands
       login local
       modem InOut
       transport input all
       stopbits 1
       speed 19200
       flowcontrol hardware
      line vty 0 4
       access-class 50 in
       exec-timeout 5 0
       password 7 <########>
       login authentication tacacs !if you have TACACS setup with aaa commands
       login local
       transport input telnet

       

     

  5. IOS version
    • Make sure you are running a version of IOS that is stable and is patched for all of the latest network bugs.

     


DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!

The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.

Use this information at your own risk!

Scott S. 2007


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: