CIS_Final

Document Sample
CIS_Final Powered By Docstoc
					                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0




                                              Figure 1

GNS3 Network Basics
Figure 1 illustrates the network configured in the Graphic Network Simulator (GNS) software
application on your notebook. This network is not intended to be representative of any specific
configuration you may encounter.
The section of the network in Figure 2 is the router on
which the search commands will be executed. The symbol
is for a generic router. The label “7200” was added by the
designer. The router being emulated is a Cisco 7200 series
with three configured interfaces. The interface on the left
is connected to network 10.1.40.0 and has the ip address
10.1.40.2 assigned to it. The line to which this interface is
connected has been assigned the ip address 10.2.40.1.                          Figure 2
You can determine all this from the information displayed on
the diagram. The “/24” at the end of each network ip address indicates that the network is
using a 24-bit mask. The small green ball indicates that the interface to which the line is
attached is turned on – the line is connected.
This presentation is concerned in its entirety with securing the edge router, defined as the last
router (or routing device) through which your traffic will pass on its way out of your LAN. It is
also the first device encountered by inbound traffic.
For this presentation, the router standing in as the border router is the 7200. The Pix firewall
and the two 2621 routers connected to it are standing in for the Internet Service Provider (ISP).
The configuration of the Pix is important only in so much as it interacts with the 7200. The Pix is
configured with EIGRP (Enhanced Interior Gateway Protocol) as is the interface on the 7200 to
which it is connected.


                                                                                          Page |1
                                                                    Baseline Audit for Cisco Routers
                                                                           6 May 2012, Version 6.0

The other interfaces on the 7200 are configured with OSPF (Open Shortest Path First). Both
EIGRP and OSPF are interior routing protocols; but, they are both much easier to configure and
much easier on resources than is BGP, the most widely-used exterior protocol.
Checking the security posture of a Cisco router is largely an examination of the contents of the
configuration of the router. The majority of the commands you will be examining are concerned
with securing the Management Plane. A large part of the configuration of your LAN edge router
will be based on information supplied by the service provider to which you are connecting.
Passwords
•   The first line of defense on a router, or any other networking device, is to require passwords
    for simple authentication.
•   There are several rules which should be followed:
    • Encrypt passwords using MD5 wherever possible.
    • Where MD5 isn’t possible, hide the passwords from casual viewing.
    • Configure lockouts to preclude password guessing.
    • Enforce a minimum password length standard.
•   Related to password enforcement is ensuring that no one else can use a password
    inappropriately left active. To enforce this, don’t leave connections up when idle.
Traffic Filtering
•   The best place to prevent unwanted traffic from entering or exiting the LAN is at the entry
    interfaces. Filtering is another name for blocking or dropping. When we say that a packet
    has been filtered, it means that the packet has been dropped, blocked, or denied.
•   Selectively filter icmp packets.
•   Use ingress and egress filtering.
Authentication
•   Use local usernames.
•   Implement AAA.
•   Set authentication for eigrp and ospf.
Management
•   set keepalives for management access sessions
•   restrict management access to authorized users
•   set exec timeouts
•   use ssh & https for management access
•   banners (login, motd, exec, incoming)
•   if used, snmp v3 only
•   configure centralized logging
•   config change notifications
•   set logging level
•   set logging source interface
•   set logging time-stamp
•   use AAA for accounting


                                                                                        Page |2
                                                                   Baseline Audit for Cisco Routers
                                                                          6 May 2012, Version 6.0

•   replace and rollback for configuration files
•   exclusive configuration access
•   software resilience
Hardware
•   Set memory threshold levels.
•   Set cpu threshold levels.
Physical
•   The router should be secured in a locked room or protected area.
•   Access to the console port should be prevented.
•   An uninterruptible power supply (UPS) should be employed to protect the configuration of
    the router in the event of a power outage.
Internetworking Operating System (IOS)
•   The most stable version of the IOS should be used. A visit to the Cisco.com web site should
    provide the version of the most recent IOS for the router platform type.
•   Store a copy of the configuration file in an off-device location as well as in persistent
    memory on the device itself.
•   Move the IOS to persistent memory so that it can be easily reinstalled.
Harden the Router
•   “Harden” is a term used to describe a process by which the router is configured so as to
    make unauthorized access to it as difficult as possible.
•   Secure all methods of connection.
•   Disable unused services, interfaces, and ports. Disabled = inaccessible.
•   Authenticate access – allow only authorized users to have access to the device and/or
    services on the device.
•   Authorize actions – restrict authenticated users from accessing everything. Allow
    authenticated users to have access to only what is required.
    • Account for the actions – generate, capture, and store log and audit messages depicting
        every action taken by an authenticated user. Tag every message with identifying
        information about the user including who, what, when.
    • Display banners – Legal notifications and warnings.
    • Encrypt everything that can be encrypted.
    • Hide everything else.




                                                                                       Page |3
                                                                       Baseline Audit for Cisco Routers
                                                                              6 May 2012, Version 6.0

MANAGEMENT PLANE COMMANDS
This section contains a listing of security support commands which are applied to the management level
of the Cisco router. Each command includes a short explanation of what the command (both active and
negated versions) does and an example command you can execute from the command line to see
whether or not the command is configured on the device.

From inside GNS3, bring up a console window on the 7200 router and try out each of the commands
under the “Finding it in the configuration” section.

Command:       no ip source-route


   •   Disables ip source routing
   •   IP source routing allows the originator of a packet to dictate which routers the packet
       should traverse along its way.
   •   It is a very dangerous capability and is routinely disabled using this command

   Finding it in the configuration:

       RTR7200# show running-config | include ip source-route

       RTR7200# no ip source-route


Command:       ip cef


   •   Enables Cisco Express Forwarding
   •   Required in order to enable Unicast Reverse-Path Forwarding
   •   CEF creates a Forwarding Information Base (FIB) table containing the next hop
       addresses. It also creates adjacencies with the source of the packet. When a packet is
       received, CEF can determine if a next hop address exists based on whether or not a
       relationship has already been established between the layer 3 (IP) data and the layer 2
       (MAC) data. This saves the time required to perform Address Resolution Protocol (ARP)
       searches on packets from known sources.
   •   Its main function is to speed up the switching process in the router.

   Finding it in the configuration:

       RTR7200# show running-config | include cef

       RTR7200# ip cef




                                                                                           Page |4
                                                                  Baseline Audit for Cisco Routers
                                                                         6 May 2012, Version 6.0

Command:     no service tcp-small-servers
             no service udp-small-servers


  •   As of version 12.0 of the Cisco IOS, the services included under these commands are
      disabled by default. The commands will not appear in the configuration file.
  •   For earlier versions of the IOS, it is absolutely necessary to disable these and other
      unused services because they can be used to launch DoS attacks.

  Finding it in the configuration:

      RTR7200# show running-config | include small-servers

      (Prior to 12.0)

      RTR7200# no service tcp-small-servers
      RTR7200# no service udp-small-servers


Command:     no ip domain lookup


  •   Disables Domain Naming System (DNS) name-to-address translations.
  •   This service is sometimes needed, but not very often.

  Finding it in the configuration:

      RTR7200# show running-config | include ip domain lookup

      RTR7200# no ip domain lookup


Command:     no ip finger


  •   Disables the Finger service.
  •   Finger is a very old service which provides information about users currently logged in to
      a network or on to a device. In the ancient days of networking, it was the only way to
      find out if a fellow user was available.

  Finding it in the configuration:

      RTR7200# show running-config | include finger

      RTR7200# no ip finger




                                                                                      Page |5
                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0

Command:     no ip bootp server


  •   Disables the Bootstrap Protocol (bootp) service.
  •   BOOTP is typically used with diskless workstations and other devices which don’t
      contain their own operating system, which would allow them to use the Device Host
      Configuration Protocol (DHCP).
  •   There are not a lot of devices like this anymore.

  Finding it in the configuration:

      RTR7200# show running-config | include bootp server

      RTR7200# no ip bootp server


Command:     ip dhcp bootp ignore


  •   At some point in the development of the Device Host Configuration Protocol (DHCP), it
      was decided to include the capability of providing BOOTP capabilities for those few
      devices which still required it.
  •   If bootp is not required, this command leaves DHCP operational while configuring it to
      ignore any BOOTP requests..

  Finding it in the configuration:

      RTR7200# show running-config | include bootp ignore

      RTR7200# ip dhcp bootp ignore


Command:     no service dhcp


  •   If DHCP relay services are not required, it is safe to disable the service

  Finding it in the configuration:

      RTR7200# show running-config | include service dhcp

      RTR7200# no service dhcp




                                                                                         Page |6
                                                                  Baseline Audit for Cisco Routers
                                                                         6 May 2012, Version 6.0

Command:     no mop enabled


  •   Disables the Maintenance Operation Protocol (MOP) service.
  •   MOP is a 30+ year old protocol developed by Digital Equipment Corporation which is no
      longer in business.
  •   From the original specifications: “MOP allows control of unattended remote systems
      that are part of a DECnet network.”
  •   If there’s no DECnet network, there’s no need for MOP.

  Finding it in the configuration:

      RTR7200# show running-config | include mop enabled

      RTR7200# no mop enabled


Command:     no service pad


  •   Disables the Packet Assembler/Disassembler (PAD) service.
  •   PAD is used to actively assemble X.25 packets out of serial data streams from network
      devices and disassembles like packets into a data stream which is suitable for sending to
      data terminals.
  •   If you’re not using an X.25 network, you don’t need it.

  Finding it in the configuration:

      RTR7200# show running-config | include service pad

      RTR7200# no service pad


Command:     no ip http server
             no ip http secure-server


  •   Disables the HyperText Transfer Protocol (HTTP) service and the HTTP over Secure
      Socket Layer (SSL) service (HTTPS).

  Finding it in the configuration:

      RTR7200# show running-config | include ip http

      RTR7200# no ip http server
      RTR7200# no ip http secure-server



                                                                                      Page |7
                                                                   Baseline Audit for Cisco Routers
                                                                          6 May 2012, Version 6.0

Command:     no service config


  •   Disables a Cisco IOS device search for a network server to load the configuration file.
  •   Prevents the device from trying to find the config file using TFTP

  Finding it in the configuration:

      RTR7200# show running-config | include service config

      RTR7200# no service config


Command:     no cdp run
             no cdp enable


  •   Disables Cisco Discovery Protocol
  •   Within a LAN, cdp is a relatively safe protocol. On interfaces touching untrusted
      networks, cdp should not be used because it advertises information about individual
      devices which would be helpful to a hacker.
  •   no cdp run is the global command which disables cdp for all interfaces.
  •   no cdp enable is used on individual interfaces.

  Finding it in the configuration:

      RTR7200# show running-config | include cdp

      RTR7200# no cdp ( run | enable )


Command:     no lldp transmit
             no lldp receive
             no lldp run global


  •   Disables Link Layer Discovery Protocol
  •   Similar to CDP, but used between devices that do not support CDP.
  •   Use the no lldp transmit and no lldp receive commands in interface configuration mode
      for individual interfaces; or, the no lldp run global to disable it on all interfaces.

  Finding it in the configuration:

      RTR7200# show running-config | include lldp

      RTR7200# no service config


                                                                                       Page |8
                                                                 Baseline Audit for Cisco Routers
                                                                        6 May 2012, Version 6.0

Command:     enable secret <password>


  •   The enable password is used to enter privileged exec mode in which the entire router
      can be reconfigured.
  •   It is essential that only the secret version of this command be used.

  Finding it in the configuration:

      RTR7200# show running-config | include enable

      RTR7200# enable secret 5 $1$yx4M#bFUI/TnJyoWTvF1LUt.PK.

  •   Of primary importance are that the password is set (enable secret), and
  •   that it is protected with the MD5 hashing algorithm (5).


Command:     service password-encryption


  •   Causes all passwords which are not already encrypted with MD5 to be encrypted using
      Cisco proprietary encryption algorithm type 7.
  •   Type 7 encryption is a basic substitution method of encryption which does not provide
      any security for the password beyond making it difficult to read.

  Finding it in the configuration:

      RTR7200# show running-config | include service password

      RTR7200# service password-encryption


Command:     security passwords min-length <#>


  •   Sets a minimum length for any future passwords.
  •   Passwords which are already set are not effected by this command.
  •   What the value of <#> is should be a matter of local policy.
  •   Cisco recommends a minimum length of 10.

  Finding it in the configuration:

      RTR7200# show running-config | include security password

      RTR7200# security passwords min-length 10




                                                                                     Page |9
                                                                 Baseline Audit for Cisco Routers
                                                                        6 May 2012, Version 6.0

Command:     [no] service password recovery


  •   This command is not available in all versions of the IOS.
  •   The no version disables the password recovery feature of the router and should only be
      used IAW local policy.

  Finding it in the configuration:

      RTR7200# show running-config | include service password

      RTR7200# service password-recovery

  •   Executing the ‘no’ version removes the command from the config file.
  •   There will be no output if the ‘no’ version has been executed.
  •   There will also be no output if the IOS version does not support the command.


Command:     username <name> [privilege <level>] secret <password>


  •   Creates an entry in the local database.
  •   Preceding the password with the keyword “secret” causes the plaintext password to be
      hashed using the MD5 hashing algorithm.
  •   Preceding the password with the keyword “password” causes the password to be left in
      plaintext unless the service password-encryption command has been executed. This
      form of the command is not authorized.
  •   There should be one username configured with a privilege level of 1 (one) for normal
      connection to the router. Once connected, this user can execute the “enable” command
      to move to a higher privilege level.
  •   In configurations such as login local or ip http authentication local, the the keyword
      local tells the router to require the entry of both the username and the password for
      that username in order to gain access.

  Finding it in the configuration:

      RTR7200# show running-config | include username

      RTR7200# username NOACCESS privilege 1 secret 5 $1$yx4M#bFUI/TnJyoWTvF1LUt.PK
      RTR7200# username ADMIN privilege 15 secret 67UI#kouekla;*#Kkboup@bN&7arP




                                                                                    P a g e | 10
                                                                  Baseline Audit for Cisco Routers
                                                                         6 May 2012, Version 6.0

Command:     login block-for <block_time> attempts <#> within <time_period>


  •   Mitigates the possibility of a brute force attack by blocking all login attempts for a
      specific period of time if too many attempts had been made during a short time period
  •   Note that this command blocks ALL login attempts.
  •   The command is interpreted “if <#> attempts to login have occurred within
      <time_period> in seconds, prevent all further login attempts for <block_time> in
      seconds”.
  •   For example: login block-for 180 attempts 4 within 60

  Finding it in the configuration:

      RTR7200# show running-config | include login block-for

      RTR7200# login block-for 30 attempts 3 withing 30


Command:     login quiet-mode access-class <acl# or aclNAME>


  •   This command sets the access list <acl# or aclNAME> as a list of ip addresses that can
      still login even though every other ip address is blocked out.

  Finding it in the configuration:

      RTR7200# show running-config | include login quiet-mode

      RTR7200# login quiet-mode access-class ALLOW_ACCESS

      RTR7200# show access-list ALLOW_ACCESS

      RTR7200#Standard IP access-list ALLOW_ACCESS
      RTR7200# 10 permit 10.4.1.14
Command:     login delay <#>


  •   Force a delay of <#> seconds between each login attempt

  Finding it in the configuration:

      RTR7200# show running-config | include login block-for

      RTR7200# login delay 3




                                                                                     P a g e | 11
                                                                    Baseline Audit for Cisco Routers
                                                                           6 May 2012, Version 6.0

Command:     login on-failure log [every <#>]


  •   This command causes a log entry to be generated every time a login fails.
  •   It might seem that setting this to 1 would be a good idea; however, a number between 5
      and 10 is more appropriate. If login attempts are being blocked (failing), then security is
      being enforced.
  •   Login failures are counted on a per-ip address basis.

  Finding it in the configuration:

      RTR7200# show running-config | include login on-failure

      RTR7200# login on-failure log every 5


Command:     login on-success log [every <#>]


  •   Unlike login failures, this one should be set to 1.
  •   Since 1 is the default, it is not necessary to include it in the command. Enter only login
      on-success log to configure the default of 1.

  Finding it in the configuration:

      RTR7200# show running-config | include login on-success

      RTR7200# login on-success log


Command:     security authentication failure rate <#>


  •   Sets a global threshold rate for login failures.
  •   If the threshold is breached, a syslog message is posted and a 15-second delay is
      enforced.
  •   This global setting can be overruled by the login block-for command

  Finding it in the configuration:

      RTR7200# show running-config | include security authentication

      RTR7200# security authentication failure rate 8




                                                                                       P a g e | 12
                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0

Command:       show login


        Display all the login commands in the configuration:
               A login delay of 3 seconds is applied.
               Quiet-Mode access list ALLOW_ACCESS is applied.
               All successful login is logged.
               Every 5 failed login is logged.
               Router enabled to watch for login Attacks.
               If more than 3 login failures occur in 30 minutes or less,
               logins will be disabled for 30 seconds.
               Router presently in Normal-Mode.
               Current Watch Window
                     Time remaining: 22 seconds.
                     Login failures for current window: 0.
               Total login failures: 0.


Filtering
Ingress & Egress Filters:

•   The ingress filter is the access list assigned to the interface connected closest to the service
    provider which blocks known malicious or simply bad traffic from entering your LAN.
•   The egress filter is the access list assigned to the interface connected closest to your LAN
    which allows only legitimate traffic to depart your LAN.
•   Note that the egress filter may be more than one access list. If the router you’re examining
    has multiple LANs connected to it, it may be necessary to implement an egress filter to each
    of the interior interfaces.
•   To determine which access list is the egress and which is the ingress, it will be necessary to
    review the structure of the network to determine which interface should host the ingress
    filter and which should host the egress filter.
•   For this example, interface FastEthernet0/0 (f0/0) will be the interface connected to the
    provider. View the configuration for the interface:

    RTR7200# show running-config | section FastEthernet0/0

    •   If the resulting display contains the two lines

        ip access-group <NAME> in
        ip access-group <NAME> out

        the <NAME> preceding “in” is the ingress filter and
        the <NAME> preceding “out” is the egress filter.




                                                                                        P a g e | 13
                                                                       Baseline Audit for Cisco Routers
                                                                              6 May 2012, Version 6.0

    •    If the interface only includes the one “in” filter, you’ll need to view the configuration of
         the other interfaces to determine which should contain the outbound filtering.

Ingress Access List:

•   Once you’ve decided which is the ingress filter and which is the egress filter, you next need
    to examine their contents (see next section).
•   Access-lists are essential for securing a router. They can, however, be extremely complex.
    Without a thorough understanding of all the applications traversing the router and the
    protocols involved, it is impossible to validate each acl.
•   There are some things which are universally filtered at the outside interface. Among these
    are ip addresses which are not routable across the Internet, referred to as private
    addresses. Certain multicast addresses should also be blocked as well as malformed
    addresses.
•   RFC 5735 and RFC 4193 list the private address and other reserved ranges for IPv4 and IPv6
    respectively and discuss their purpose and implementation.
•   The Center for Internet Security (CIS) Security Configuration Benchmark for Cisco IOS
    Version 3.0.0, September, 2011 contains a recommended list of ip addresses that should be
    blocked at the ingress filter. They are included in the example ingress access-list on the
    following slide. There are other candidates for inclusion in this list.

    1)   access-list <acl> deny ip <your_internal_address_range> any log
    2)   access-list <acl> deny ip 127.0.0.0 0.255.255.255 any log
    3)   access-list <acl> deny ip 10.0.0.0 0.255.255.255 any log
    4)   access-list <acl> deny ip 172.16.0.0 0.15.255.255 any log
    5)   access-list <acl> deny ip 192.168.0.0 0.0.255.255 any log
    6)   access-list <acl> deny ip 192.0.2.0 0.0.0.255 any log
    7)   access-list <acl> deny ip 169.254.0.0 0.0.255.255 any log
    8)   access-list <acl> deny ip 0.0.0.0 0.255.255.255 any log
    9)   access-list <acl> deny ip host 255.255.255.255 any log

    •    Line 1 prevents any external host from spoofing your ip addresses.
    •    Line 2 is the loopback range of addresses
    •    Lines 3, 4, & 5 are the big 3 private address ranges
    •    Line 6 is TEST-NET-1 and is used only in documentation
    •    Line 7 is the local link block
    •    Lines 8 & 9 are blocking bogus ip addresses

Egress Access List:

•   The egress filter is an access list which insures that only legitimate traffic (traffic generated
    by your own LAN) is allowed to exit the LAN.
•   The access-list may be complex due to the inclusion of protocols and applications as well as
    operationally mandated traffic.


                                                                                          P a g e | 14
                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0

•   The single entry you’re looking for is one that allows only your address space:
•   access-list <acl> permit ip <your_internal_address_range> any log
•   If there are other users (LANs) connected to other interfaces, this line needs to be adjusted
    for their ip address range and included in the filter located on their interface of the router.

ICMP:

•   Internet Control Message Protocol
•   Purpose is to assist in the control of the Internet Protocol (IP)
•   Can convey virtually ALL information about internal structure of your LAN
•   Is required for some purposes
•   Which ICMP messages need to be filtered and which need to be allowed will be dictated by
    local mission requirements as well as restrictions mandated by the external service
    provider.
•   At a minimum, all non-mandated inbound requests should be filtered as well as any
    outbound requests from addresses other than the management station.
•   To verify the filtering established for a particular LAN, it is necessary to have an
    understanding of the structure of the LAN – what ip address is/are assigned to the
    management station(s); what is the address space for the LAN; what applications are
    running which require the use of ICMP; etc.
•   ICMP needs to be filtered on both the egress and ingress interfaces.
•   In the ingress filter access list, there might be lines which allow icmp echo requests from
    specific external ip addresses such as a trusted management station or server. Verify the ip
    addresses included with the local operating procedures.
•   All other ip traffic from the network to which the management stations /servers belong
    should be explicitly blocked.
•   ip access-list extended INGRESS_FILTER
•   permit icmp host <trusted-management-station> any echo
•   permit icmp host <trusted-management-server> any echo
•   deny ip any <the_rest_of_the_network> <mask>
•   In the egress filter access list, there might be lines which allow icmp echo requests from
    specific internal ip addresses such as a management station. Verify the ip address of the
    management station.
•   All other icmp traffic from your network must be explicitly blocked.
•   ip access-list extended EGRESS_FILTER
•   permit icmp host <trusted-management-station> any echo
•   permit icmp host <trusted-management-server> any echo
•   deny icmp any <the_rest_of_the_network> <mask>
•   Note: If icmp echo-requests are permitted out of your LAN, the corresponding echo-reply
    must then be permitted back in to your router through the ingress filter. The entry in the
    ingress filter should be as specific as possible to ensure no unauthorized icmp traffic enters.




                                                                                        P a g e | 15
                                                                    Baseline Audit for Cisco Routers
                                                                           6 May 2012, Version 6.0

AUTHENTICATION
Local:

    username <name> [privilege <level>] secret <password>

•   Local usernames are used in many places for authentication purposes.
•   In the aaa command (discussed elsewhere) aaa authentication login default local enable,
    the “local” option indicates that the local username database should be consulted for
    authentication (then the enable secret password).
•   In the command ip http authentication local, “local” means that only a username from the
    local username database, once properly authenticated by entering the correct password,
    will have access to the http protocol.
•   On vty, aux, and con lines, the command login local means the same thing. Use show
    running-config | begin line to see all the line configurations.

    Finding it in the configuration:

    RTR7200# show running-config | include local

    RTR7200# ip http authentication local
    RTR7200# login local

AAA
Command:       aaa new-model


           •   Activates AAA (authentication, authorization, accounting) functionality
           •   Immediately applies local authentication to all lines and interfaces except the
               console (line con 0). Sessions already opened are not affected. If a session times-
               out and no username is configured, you are effectively logged out. For this
               reason, a username must be configured prior to executing this command.

Finding it in the configuration:

show running-config | include aaa new-model

aaa new-model

Designate Server(s):
tacacs-server host <ip | hostname> [timeout <sec>] [key <KEY>]
radius-server host <ip | hostname> [timeout <sec>] [key <KEY>]
             • Designates the TACACS+/RADIUS server ip address or hostname
Finding it in the configuration:



                                                                                       P a g e | 16
                                                                    Baseline Audit for Cisco Routers
                                                                           6 May 2012, Version 6.0

show running-config | include tacacs-server
show running-config | include radius-server
       tacacs-server host A.B.C.D timeout 15
       radius-server host E.F.G.H auth-port 1645 acct-port 1646 timeout 15 key 7 08136D…
(The RADIUS server configuration includes the default authentication and accounting port
assignment numbers of 1645/1646. TACACS+ uses only port 49.)

Create Server-Groups:
aaa group server tacacs+ <NAME>
aaa group server radius <NAME>
            • Creates a group named <NAME> into which servers can be added.
            • The router prompt changes to the server-group config prompt
(config-sg-tacacs+)#server < ip | hostname >
(config-sg-radius)#server < ip | hostname >
            • Adds the server(s) to the group.

Finding it in the configuration:
show running-config | include aaa group
       aaa group server tacacs+ <NAME>
       aaa group server radius <NAME>
Authenticating Enable EXEC Mode:
aaa authentication enable default group tacacs+ enable
             • Creates the default list for determining whether or not a user can access
                privileged EXEC command level.
             • This command allows for up to four of these methods:
                    • group <NAME> - use the servers configured in the <NAME> group
                    • group tacacs+ : use all available tacacs+ servers
                    • group radius : use all available radius servers
                    • enable : use the enable password
                    • line : use the line password (if connected via vty line, for example)
                    • none : no authentication required
Finding it in the configuration:
show running-config | include aaa authentication enable
       aaa authentication enable default group tacacs+ enable
Authenticating Logins:
aaa authentication login default group tacacs+ local enable
             • This is the default list for authenticating a user who wants to log in.
             • This command allows for up to four of these methods:
                    • group <NAME> - use the servers configured in the <NAME> group
                    • group tacacs+ : use all available tacacs+ servers
                    • group radius : use all available radius servers
                    • enable : use the enable password
                    • line : use the line password (if connected via vty line, for example)
                    • local : local username database


                                                                                       P a g e | 17
                                                                  Baseline Audit for Cisco Routers
                                                                         6 May 2012, Version 6.0

                    • local-case : case-sensitive local username database
                    • none : no authentication required
Finding it in the configuration:
show running-config | include aaa authentication login
       aaa authentication login default group tacacs+ local enable
Accounting:
aaa accounting exec start-stop group tacacs+
    • Accounting occurs for all user shell EXEC commands
aaa accounting commands 15 default start-stop group tacacs+
    • Accounting occurs for all commands on level 15
aaa accounting network start-stop group tacacs+
    • Accounting occurs for all network related services like PPP
aaa accounting connection start-stop group tacacs+
    • Accounting occurs for all outbound connections
aaa accounting system start-stop group tacacs+
    • Accounting occurs for all system related events not directly related to a user
    • These five commands are all required to completely configure aaa accounting.
    • “start-stop” accounting begins as soon as the session begins. A summary record which
       includes session statistics is sent when the session ends.
Finding it in the configuration:
show running-config | include aaa accounting
EIGRP
Authentication:
(config)# key chain KC_EIGRP
(config-keychain)# key 1
(config-keychain-key)# key-string ReallyStrong!
             • Creates a key chain for EIGRP called “KC_EIGRP” and adds key #1 to it
(config-if)# ip authentication mode eigrp 33 md5
             • In interface configuration mode, activate authentication for as 33
(config-if)# ip authentication key-chain eigrp 33 KC_EIGRP
    • Set authentication to use the key-chain configured previously.
Finding it in the configuration:
show running-config | section key chain

       key chain KC_EIGRP
        key 1
          key-string 7 04690E07032D557D1D0B0A19154A
          • Once you know the key chain name, search for it:
show running-config | include KC_EIGRP

      ip authentication key-chain eigrp 33 KC_EIGRP
                 • Debugging eigrp will display which interfaces are authenticating:
debug eigrp packets



                                                                                       P a g e | 18
                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0

        : EIGRP: Received packet with MD5 authentication, key id = 1
        : EIGRP: Received HELLO on <int> nbr <ip>
Slide 50
OSPF
Authentication:
(config-if)# ip ospf message-digest-key 1 md5 ReallyReallyStrong!
             • Establishes the key for this interface
             • This must be pre-shared. That is, the interface on the next device in line to which
                 this interface is connected must have an identical key configured.
(config-if)# ip ospf authentication message-digest
             • Activates the MD5 (message-digest) authentication on this interface
Finding it in the configuration:
             • Since authentication is configured on a per-interface basis, verifying the
                 configuration needs to be performed the same way:
show ip ospf interface <int> (once per interface)
        /- output ommitted -/
        Message digest authentication enabled
            Youngest key id is 1
MANAGEMENT ACCESS
Keepalives:
service tcp-keepalives-in
service tcp-keepalives-out
             • Generate keepalives on network connections
             • Sometimes, tcp connections to remote points may become disconnected at the
                remote host without notifying the originating end of the connection. When this
                happens, it might become impossible to reconnect to the remote host upon its
                return to service because this end of the connection still believes the connection
                exists. With keepalives configured, each end of the connection will be aware that
                the other end has disconnected and can close its end.
Finding it in the configuration:
show running-config | include tcp-keepalives
        service tcp-keepalives-in
        service tcp-keepalives-out
Exec Timeouts:
exec-timeout <minutes> [<seconds>]
             • Establishes the length of time a line is allowed to be idle before the router
                disconnects it, dropping the connection.
             • A setting of 0 0 (zero zero) disables this feature and is not allowed.

Finding it in the configuration:
                    • Begin the display of the config file from the first instance of a line:
                    • A setting of 10 minutes is the default and will not appear in the listing.
show running-config | begin line
       line con 0


                                                                                        P a g e | 19
                                                                    Baseline Audit for Cisco Routers
                                                                           6 May 2012, Version 6.0

              /- output omitted -/
              exec-timeout 5
         line vty 0 4
              /- output omitted -/
              exec-timeout 3 30
Configure Secure Shell (SSH):
ip domain-name <NAME>
hostname <HOSTNAME>
crypto key generate rsa general-keys modulus 1024
              • Each router has to have a unique hostname.
              • All routers that need to communicate via SSH must be configured with the same
                  domain name.
              • The minimum required modulus (encryption strength) is 1024.
Finding it in the configuration:
show running-config | ip domain-name
         ip domain name ns.com
show ip ssh
         SSH Enabled – version 1.99
         Authentication timeout: 120 secs; Authentication retries: 3
Changing SSH Defaults:
ip ssh version 2
                      • Set ssh to version 2 – it is backward-compatible with version 1 but offers
                         superior security.
ip ssh time-out 60
              • Set the ssh timeout to 60 seconds instead of the default 120.
ip authentication-retries 4
              • Set the number of times a user/device can attempt to authenticate before being
                  locked out of ssh.
Finding it in the configuration:
show ip ssh
         SSH Enabled – version 2.0
         Authentication timeout: 60 secs; Authentication retries: 4
Allowing Access to SSH:
(config-line)#transport input ssh
              • Executed on the vty line(s)
              • Forces the requirement to connect using only ssh.
              • Effectively blocks access to telnet.
(config-line)#access-class <standard_acl> in
                      • The acl contains ip addresses of those stations authorized access to the
                         vty lines and, therefore, to ssh.
Finding it in the configuration:
show running-config | section vty
         line vty 0 4
           /- output omitted -/


                                                                                       P a g e | 20
                                                                Baseline Audit for Cisco Routers
                                                                       6 May 2012, Version 6.0

         access-class 1 in
         transport input ssh
         /- output omitted -/
Configure Secure HTTP (HTTPS):
no ip http server
ip http secure-server
                    • The recommendation is that neither http nor https be enabled.
                    • If operationally necessary or mandated, only the secure http server
                        (https) will be activated.
                    • This configuration has to do with https terminating on the router, not
                        passing through it on the data plane.
Finding it in the configuration:
show running-config | include http
        no ip http server
        ip http secure-server
        /- other http commands may be listed -/
Restrict Access to HTTPS:
ip http authentication local
                    • Local usernames will be used for authentication.
ip http authentication enable
                    • If you know the enable secret password, you can authenticate to http.
ip http authentication aaa login-authentication <NAME>
                    • Authenticate login attempts using the configured method list <NAME>.
Finding it in the configuration:
show running-config | include http
        no ip http server
        ip http authentication aaa login-authentication WEBACCESS
        ip http secure-server
Banners:
banner incoming @ This is the INCOMING banner … @
banner motd % This is the MOTD banner … %
banner exec & This is the EXEC banner … &
banner login * This is the LOGIN banner … *
             • The incoming banner is used when the router receives an connection from a host
                on the network – from an address within the interface address range.
             • The motd (message of the day) banner is displayed before any other banner.
             • The exec banner is displayed when the user has connected the the router.
             • The login banner is displayed after the user has authenticated.
Finding it in the configuration:
show running-config | include banner
        banner incoming ^C This is the INCOMING banner … ^C
        banner motd ^C This is the MOTD banner … ^C
        banner exec ^C This is the EXEC banner … ^C
        banner login ^C This is the LOGIN banner … ^C


                                                                                   P a g e | 21
                                                                 Baseline Audit for Cisco Routers
                                                                        6 May 2012, Version 6.0

LOGGING RULES
Logging (Part 1):
logging <{ on | enable }>
           • Logging is required. This command activates it. Different versions of the IOS may
               require “on” while others require “enable”
no logging monitor
           • The ‘no’ version of this command insures that logging messages are not sent to
               an alternate monitor connected to one of the terminal (vty) lines.
logging source-interface loopback0
           • To provide consistency in the generation of logging messages, a loopback
               interface’s ip address should be used as the source for all logging from a
               particular device.
           • This command causes the ip address of loopback0 to be included in messages.
logging [host] <ip_address_of_logging_host>
           • Sets the ip address of the logging server.
           • All generated syslog traffic is sent to this address.
           • Some versions of Cisco IOS require the [host] option.
           • Logging Part 2:
           • logging buffered <buffer_size> [level]
           • Sets aside an area in memory of size <buffer_size> (in bytes) for holding logging
               messages of severity <level> locally so that they can be viewed by a logged-in
               level 15 user.
           • The minimum recommended <buffer_size> is 16000
           • logging rate-limit console 3 except critical
           • Limits the number of messages which are displayed on the console to no more
               than 3 per second unless the message is critical (level 3) priority or higher.
           • The intent is to prevent logging messages from consuming an inordinate amount
               of processing time resulting in an unstable router.
           • logging console <level>
           • Causes logging messages of severity level <level> to be sent to the console.
           • Recommended level is “critical” (2)
           • Levels are discussed on the next slide.
           • Logging Part 3:
           •
           • logging trap <level>
           • The logging trap command indicates what level snmp trap will generate a logging
               message.
           • logging alarm <level>
           • Sets the severity level of alarms to be logged.
           • This is different from logging trap which deals only with snmp levels.
           • Levels are numbered from 0 to 7 and are named emergencies(0), alerts(1),
               critical(2), errors(3), warnings(4), notifications(5), informational(6), and
               debugging(7).



                                                                                    P a g e | 22
                                                                       Baseline Audit for Cisco Routers
                                                                              6 May 2012, Version 6.0

           •   Setting a specific level will cause the inclusion of that level and all levels of higher
               severity (lower number).
           •   What level is configured is a matter of loca policy.
           •   Finding it in the configuration:
           •   Logging Part 3:
           •
           •   Finding it in the configuration:
           •   show running-config | include logging
           •          logging buffered 24000 informational
           •          logging rate-limit console 3 except critical
           •          logging console critical
           •          no logging monitor
           •          logging alarm major
           •          logging trap debugging
           •          logging source-interface Loopback0
           •          logging 10.1.45.3
           •   A very extensive and detailed logging report is available by executing
               show logging
CONFIGURATION FILE MANAGEMENT
Archive:
(config)# archive
            • The archiving of configuration files allows for the replacement and restoration of
               configurations. Without a repository for configuration files, there would be no
               way to restore a router to a previous, working, state.
(config-archive)# log config
            • enters logging configuration sub-mode.
(config-archive-log-cfg)# logging enable
            • Causes logging messages to be generated for any configuration change executed
               from EXEC mode.
(config-archive-log-cfg)# logging size <#>
            • Sets the maximum number of messages (1000 or less) retained in the log.
(config-archive-log-cfg)# notify syslog contenttype plaintext
            • Causes configuration change messages to be sent to a remote syslog server in
               addition to being sent to the logging buffer
(config-archive-log-cfg)# hidekeys
            • Do not include (hide) any keys or passwords in the log entries.
            • (config-archive)# path disk0:<filename>
            • Sets the path and location of the logging files. As new files are created, a
               sequential number is added to the end of the file name entered here.
            • (config-archive)# write-memory
            • Automatically create a backup any time the write memory command is issued.
            • (config-archive)# time-period <sec>
            • Sets the time period (seconds) to automatically save the current configuration.
            • Finding it in the configuration:


                                                                                           P a g e | 23
                                                                 Baseline Audit for Cisco Routers
                                                                        6 May 2012, Version 6.0

          •   show running-config | section archive
          •           archive
          •             logging enable
          •             logging size 150
          •             notify syslog conetnttype plaintext
          •             hidekeys
          •           path disk0:backup-netman
          •           write-memory
          •   Exclusive Configuration Access:
          •   configuration mode exclusive auto expire <sec>
          •   When a user with privilege level 15 access enters confuration terminal mode, the
              config file is locked, preventing others accessing it at the same time.
          •   The lock will expire after <sec> seconds of inactivity.
          •   Finding it in the configuration:
          •   show running-config | configuration mode
          •           configuration mode exclusive auto expire <sec>
          •   Software Resilience:
          •   secure boot-config
          •   Makes a backup of the configuration file and stores it in persistent memory.
          •   secure boot-image
          •   Moves the IOS image file to persistent memory.
          •   Finding it in the configuration:
          •   Neither of these commands are stored in the configuration file.
SNMP RULES
Simple Network Management Protocol:
                • SNMP is a very powerful network management protocol.
                • SNMP should be disabled unless it is absolutely required or mandated.
                • Whether or not to use it is a matter of local policy.
                • If the service provider is mandating the use of SNMP, it must be Version
                   3.
                • The following SNMP commands represent the basic configuration
                   requirements for using the protocol.
                • You should be provided with any additional configuration information
                   you need by the service provider.
                • snmp-server community <READONLY_STRING> ro <acl>
                • Sets <READONLY_STRING> as the password for read-only (ro) access to
                   the Management Information Base (MIB).
                • <acl> is an access list name or number containing ip addresses of hosts
                   on the network which are allowed to use this community string to access
                   the MIB. It is required.
                • Finding it in the configuration:
                • show running-config | snmp-server community
                •         snmp-server community ReadOnly RO ALLOWED_RO_SNMP
                • snmp-server community <READWRITE_STRING> rw <acl>


                                                                                    P a g e | 24
                                                  Baseline Audit for Cisco Routers
                                                         6 May 2012, Version 6.0

•   Sets <READWRITE_STRING> as the password for read-write (rw) access to
    the Management Information Base (MIB).
•   <acl> is an access list name or number containing ip addresses of hosts
    on the network which are allowed to use this community string to access
    the MIB.
•   Normally, a readwrite community string is not in the configuration.
•   Whether or not this community string is set is a matter of policy.
•   Finding it in the configuration:
•   show running-config | snmp-server community
•           snmp-server community ReadOnly RW ALLOWED_RW_SNMP
•   snmp-server enable traps <trap_type>
•   trap_type can be a combination of things – which ones are included is a
    matter of local policy
•   example: snmp-server enable traps snmp linkup linkdown coldstart
    warmstart authentication
•   Traps are not allowed unless a server is also configured to receive them
    (next slide).
•
•   Finding it in the configuration:
•   show running-config | snmp-server enable traps
•           snmp-server enable traps snmp authentication linkdown linkup
    coldstart warmstart
•           snmp-server enable traps vrrp
•           snmp-server enable traps ds1
•           ………
•           snmp-server enable traps voice
•           snmp-server enable traps dnis
•   snmp-server host <host_ip | host_name> <options>
•   snmp-server host http://{host_ip | host_name} [:<port][/<url>] <options>
•   Identifies the snmp server.
•   Inclusion of additional options is a matter of local policy as well as other
    configuration items located elsewhere in the configuration file.
•
•   Finding it in the configuration:
•   show running-config | include snmp-server host
•          snmp-server host 10.1.55.32 version 3 priv SNMP_USER
•   snmp-server group <GROUP_NAME> v3 priv
•   If snmp is to be used, it should be version 3.
•   To ensure that traffic is protected in transit, version 3 groups should be
    configured with the “priv” option indicating that traffic be encrypted.
•
•   Finding it in the configuration:
•   show running-config | include snmp-server group
•          snmp-server group v3Group2 v3 priv


                                                                     P a g e | 25
                                                                  Baseline Audit for Cisco Routers
                                                                         6 May 2012, Version 6.0

                  •   snmp-server user <NAME> <GROUP_NAME> v3
                         auth sha <authentication_password>
                         priv aes <aes_size> <private_password>
                         <acl_name_or_number>
                  •   Minimum recommended aes_size is 128
                  •   This command, in conjunction with the snmp-server group command,
                      provides this USER with privacy encryption.
                  •   Finding it in the configuration:
                  •   show running-config | include snmp-server user
                  •          snmp-server user SNMP_USER v3Group2 v3
TIME
Timestamps:
service timestamps < debug | log > < datetime | uptime > [show-timezone] [localtime] [msec]
[year]
             • Configures timestamps for either debug or log messages
             • Use either the real date & time <datetime> or time since the router was last
                restarted/reloaded <uptime> in seconds
             • Optionally add time zone information <show-timezone>
             • Use local time <localtime>
             • Include the current <year>
             • Include millisecond timing in each message <msec>
Finding it in the configuration:
show running-config | include service timestamps
Look for BOTH debug and log commands:
        service timestamps debug …
        service timestamps log …

Configuring Time (System Clock):
clock timezone GMT < [ + | - ] hours>
             • Sets the onboard clock to the correct timezone based on Greenwich Mean Time
                (GMT) plus or minus a fixed number of hours.
Finding it in the configuration:
show running-config | include clock timezone
        clock timezone GMT 5
clock summer-time zone recurring
       [week day month hh:mm]
       [week day month hh:mm]
             • Sets the absolute start and stop time for summer time in your time zone.
             • There are other formats for this command; however, it is only the summer-time
                configuration you’re concerned with. If the command is set, that’s good enough.
Finding it in the configuration:
show running-config | include clock summer-time
        clock summer-time zone … … …
Network Timing Protocol (NTP):


                                                                                     P a g e | 26
                                                                 Baseline Audit for Cisco Routers
                                                                        6 May 2012, Version 6.0

ntp authenticate
             • Activates the ntp authentication procedure.
             • Note that it is the server being authenticated, not the router.
Finding it in the configuration:
show running-config | include ntp authenticate
       ntp authenticate
ntp authentication-key <id#> md5 <key>
    • establishes the key to use for authenticating the ntp server
    • The key is hashed using the MD5 (128-bit) hashing algorithm (currently the only option
       on a Cisco router).
Finding it in the configuration:
show running-config | include ntp authentication
       ntp authentication

ntp trusted-key <id#>
    • Sets the key identified with id# as a trusted key, meaning that any external ntp server
       that uses this key can be used to synchronize the router’s time.
    • The previous command establishes the key and the cryptotype (md5) and this command
       designates it as trusted.
Finding it in the configuration:
show running-config | include ntp trusted
       ntp trusted-key 1
ntp access-group [peer | query-only | serve | serve-only] [acl# | aclNAME]
    • This access group should be configured.
    • The four options peer, query-only, etc. are a matter of local policy.
Finding it in the configuration:
show running-config | include ntp access
       ntp access-group query-only 14
show running-config | include access-list 14
       Standard IP access list 14
             10 permit 10.10.20.3
ntp update-calendar
    • causes the hardware clock on the router to be synchronized with the external time
       source
Finding it in the configuration:
show running-config | include ntp update
       ntp update-calendar
ntp server < ip_address | name > [key <#> | prefer | source <int> | ver <#>]
    • Sets the ip address of the external time server.
    • There should be two ntp servers defined.
    • The key keyword is followed by the key number to be used when authenticating this
       server
    • prefer means that this server is prefered over any others



                                                                                    P a g e | 27
                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0

   •   The source keyword is followed by an interface name. It will cause ntp to use the ip
       address of the designated interface for interactions with this specific server. It takes
       precedence over the global ntp source <int> command.
    • version is followed by either 1, 2, or 3, depending on which version of ntp this server
       uses
Finding it in the configuration:
show running-config | include ntp server
       ntp server 216.119.69.113 key 1 prefer source Loopback0 ver 3
ntp source <int>
    • NTP will use the ip address assigned to the interface <int> in all messages sent to all
       destinations
Finding it in the configuration:
show running-config | include ntp source
       ntp source Loopback0
INTERFACES
Auxillary Line (aux):
line aux 0
  no exec
  transport input none
     • no exec disables all incoming connections
     • transport input none prevents a protocol selection
     • The auxillary port should be completely disabled unless in use.
Finding it in the configuration:
show running-config | section line aux
Look For:
        no exec
        transport input none
Console Line (con0):
login authentication < default | aaa_list >
     • Forces aaa authentication
exec-timeout <min> [<sec>]
     • Sets an inactivity timeout for the console.
     • Unlike the vty lines (next slide), which are accessible from across the network, the
        console port is accessible only through physical access. Because of this, configured
        security for it is considerably less than for the vty lines.
Finding it in the configuration:
show running-config | section line con
Look For:
        login authentication …
        exec-timeout
Virtual Terminal Lines (vty):
login authentication < default | aaa_list >
     • Forces aaa authentication
exec-timeout <min> [<sec>]


                                                                                        P a g e | 28
                                                                     Baseline Audit for Cisco Routers
                                                                            6 May 2012, Version 6.0

    • Sets an inactivity timeout for the console.
transport input ssh
    • SSH must be used to connect to the line.
access-class <acl_VTY_ACCESS> in
    • An access-control list containing authorized ip addresses
Finding it in the configuration:
show running-config | section line vty
Interface Configuration Commands:
ip access-group <acl_INGRESS> in
             • Applies an in-bound access list to this interface.
ip access-group <acl_EGRESS> out
             • Applies an out-bound access list to this interface.
no ip directed-broadcast
             • This is the default in modern Cisco IOS and does not appear in the config file.
             • In legacy IOS, this command shoud be included on every interface.
no cdp enable
             • Even though already globally disabled (no cdp run), disabling cdp on each
                individual interface is a good idea.
             • no ip mroute-cache
             • IP mroute caching configures fast-switching of multicast traffic.
             • Unless specifically required, it should be disabled with the ‘no’ version of the
                command.
             • mroute caching is not available in all version of Cisco IOS.
             • ip verify unicast reverse-path
             • Causes the router to examine every packet received on the interface to make
                sure that the source address appears in the routing table and matches the
                interface on which the packet was received. This capability relies on the
                Forwarding Information Base (FIB) created by the CEF command.
             • no ip redirects
             • An ICMP message used to inform the sending device that a better route exists
                than the one used. A hacker could use this capability to cause a host to redirect
                its traffic to the hacker rather than the proper gateway.
             • no ip unreachables
             • no ip unreachables – Also an ICMP message, this is usually disabled to prevent its
                being used in a denial of service (DOS) attack. The router could be flooded with
                improperly crafted packets, causing it to send an unreachable response to each.
                This could prevent the router from routing legitimate traffic.
             •
             • no ip proxy-arp
             • no ip proxy-arp – Normally, a Cisco router can “stand-in” for a host connected to
                it by using Proxy ARP wherein the router responds to arp requests as if it were
                actually the host. This is done in the interest of speed as well as ease of
                configuration on the host. It is disabled to prevent a host from identifying itself
                as another host, thus causing the router to forward another hosts’s traffic to it.


                                                                                        P a g e | 29
                                                       Baseline Audit for Cisco Routers
                                                              6 May 2012, Version 6.0

•   Finding it in the configuration:
•   show running-config | section interface fastethernet0/1
•   show running-config | section interface serial1/1




                                                                          P a g e | 30

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:9/6/2012
language:English
pages:30