As a network administrator or a network engineer, when installing a new Cisco router in a data center and connect it to a network infrastructure for an enterprise organization, it is importance to secure this network device. If a router is compromised to hackers, the whole security of the network infrastructure can be terrible in consequent.
In this tutorial will describes how to configure security hardening for a new Cisco router to secure it and also increases the overall security of a network infrastructure in an enterprise data center.
In this document of how to configure security hardening on a Cisco routers, it is assumed that:
a. You already have Tacacs+ server up and running in your network infrastructure. In case that you don’t, please refer to this link. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
b. You already have network monitoring server, such as Cacti or Nagios up and running in your network infrastructure. In case that you don’t, please refer to the following links.
3. Scenario Setup
The following picture show you how we are going to do in this tutorial. There is computer connected to Cisco router console port with console cable. The Cisco router in Data Center is connected to the network infrastructure via Ethernet connections. Two dedicated servers for Tacacs+ service for AAA protocol and Network Monitoring System using SNMP protocol are already installed and configured in place. The network administrator or a network engineer is doing the security hardening on Cisco router via console interface now and his/her computer also connected to the network infrastructure.
4. Configure Host Name
In an enterprise Data Center, there are many network devices such as switches, routers, and firewalls which configured for an network infrastructure to function. Setting up host name for those network devices is really important for a manageable network infrastructure because we can easily identify the device’s location and its purpose/function/service with their host name.
# hostname DCRT-BDR01
5. Create Local User Admin Account
A local user admin account must be created. So, whenever we access to the Cisco router whether via SSH remote management or via console interface, we need to enter a correct username and password first for we gain access to the router. It is also used when Tacacs+ server is not reachable from Cisco router.
# username netadmin privilege 15 secret 1111 # enable secret 2222 # service password-encryption # aaa new-model # aaa authentication login default local-case # aaa local authentication attempts max-fail 10
6. Configure Management IP
Since the loopback interfaces are always up, it is recommended to use loopback interfaces for SSH remote management access to the Cisco router. The physical interfaces can change state up/down and potentially not accessible.
# int lo0 ip add 126.96.36.199 255.255.255.255
7. Configure SSH Options
SSH is a remote management protocol that the network administrator or a network engineer used to again control access on Cisco router because it provides an encrypted and secure remote access management connection. Never use Telnet to gain access to any network devices because telnet connection is in plaintext and your password can be captured easily. The following are some recommend SSH options to be configured.
# ip domain-name techspacekh.com # crypto key generate rsa modulus 2048 # ip ssh version 2 # ip ssh time-out 30 # ip ssh logging events # ip ssh maxstartups 10 # ip ssh authentication-retries 5
8. Enable Secure Login Checking
Sometime a malicious user may want to try performing a dictionary attack on our password. It is best to enforce a temporary block login request to our Cisco router after so many failed attempts occur within a specific time frame from a specific IP address.
# login block-for 300 attempts 5 within 120 # login delay 2 # login on-failure log # login on-success log
9. Restrict and Secure Remote Management Access
It is very important security configurations to prevent unauthorized SSH remote access management to Cisco router, access control lists, ACL, must be configured to restrict what IP addresses can remote SSH access to Cisco router. Only the IP addresses of network administrator or a network engineer team is allowed.
# ip access-list standard ACL-SSH permit 10.10.20.0 0.0.0.255 log deny any log # line vty 04 transport input ssh access-class ACL-SSH in exec-timeout 15
10. Restrict Console Access
It is best to set the console sessions idle timeout, so the console interface will be disconnected after a specific time of inactivity.
# line con 0 exec-timeout 15 no privilege level 15
11. Enable Logging
Logging is also important for security hardening configurations on Cisco router. To correlate and audit security events Cisco router more effectively, It is recommended to send logging information to a remote syslog server.
# logging buffered 16000 informational # logging 10.10.10.5 # logging source-interface Loopback 0 # service timestamps debug datetime msec localtime show-timezone # service timestamps log datetime msec localtime show-timezone
12. Enable Configuration Change Notification and Logging
It is advised to enable Configuration Change Notification and Logging feature to log the configuration changes made to a Cisco router device. After the Configuration Change Notification and Logging feature has been enabled, we can use command show archive log config all to view the configuration log.
# archive log config logging enable logging size 200 hidekeys notify syslog# sh archive log config all idx sess user@line Logged command 1 1 console@console |access-list 199 permit icmp host 10.10.10.10 host 188.8.131.52 2 1 console@console |crypto map NiStTeSt1 10 ipsec-manual 3 1 console@console |match address 199 4 1 console@console |set peer 184.108.40.206 5 1 console@console |exit 6 1 console@console |no access-list 199 7 1 console@console |no crypto map NiStTeSt1 8 2 netadmin@console |crypto key generate rsa modulus ***** 9 0 netadmin@vty0 |!exec: enable
13. Disable Log to Console or Monitor Sessions
It is always advised to send logging information to the local log buffer, which can be viewed with the show logging command rather then to send log messages to monitor and console sessions. The monitor and console sessions are interactive management sessions and it can elevate the CPU load of Cisco router.
# no logging console # no logging monitor
14. Enable NTP Server
NTP is very important to have an accurate and uniform clock settings on Cisco router for log data to be listed with the correct time and timezone. It helps tremendously in incident handling and proper log monitoring and correlation.
# clock timezone PHN 7 # ntp server 192.168.0.18
15. Restrict and Secure SNMP Access
It is recommend to use a standard SNMP community strings on every network device with a combination of uppercase characters, lowercase characters, numbers, and special characters. Default strings, such as public or private must be removed. SNMP must be configured with access rights RO (read only) and applicable ACL. Only SNMP version 2.0 and 3 is allowed.
The following is the SNMP version 2 configuration.
# ip access-list standard ACL-SNMP permit 10.10.10.6 deny any log # snmp-server community T@s9aMon RO ACL-SNMP # snmp-server location DC # snmp-server contact firstname.lastname@example.org
The following is the SNMP version 3 configuration.
# ip access-list standard ACL-SNMP permit 10.10.10.6 deny any log # snmp-server group SYSMON v3 priv access ACL-SNMP # snmp-server user nms-v3 SYSMON v3 auth md5 33331111 priv 3des 44442222 # snmp-server location DC # snmp-server contact email@example.com
To verify, we can use the following snmpwalk command from network monitoring server.
# snmpwalk -v2c -c A@B9aMon 10.10.10.1 # snmpwalk -v3 -u nms-v3 -A 33331111 -l auth -a MD5 -x DES -X 44442222 10.100.1.36
If you want to know more detail about how SNMP protocol works with network monitoring system, please refer to below links.
16. Disable Unused Services
For security hardening best practice, it is recommended to disabled any unnecessary service because they are frequently used for legitimate purposes but can be used in order to launch DoS and other attacks that are otherwise prevented by packet filtering.
# no ip http server # no ip http secure-server # no service dhcp # no cpd run # no lldp run global # no ip bootp server # no ip domain-lookup # no ip source-route
17. Enable Login Banner
Following the publication of the “Computer Misuse Act 1990“, it is strongly recommended that computers should display a banner message before allowing users to log in. The Act stipulates that an offense of unauthorized access can only be committed if the offender knew at the time that the access he intended to obtain was unauthorized. Base on the “Regulation of Investigatory Powers Act 2000” also requires information to be given to users who access the computer. Login banners are the best way to achieve this.
# banner login # UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED! You must have explicit permission to access or configure this system. All activities performed on this system may be logged, and violations of this policy may result in disciplinary action, and may be reported to law enforcement. Use of this system shall constitute consent to monitoring. # # banner motd # AUTHORIZED ACCESS ONLY! If you are not an authorized user, disconnect IMMEDIATELY! All connections are monitored and recorded. #
18. Enable Keepalives TCP Sessions
Keepalives for TCP Sessions configuration must be enabled for TCP keepalives on inbound connections to the device and outbound connections from the device. This ensures that the device on the remote end of the connection is still accessible and that half-open or orphaned connections are removed from the local Cisco router device.
# service tcp-keepalives-in # service tcp-keepalives-out
19. Enable Memory and CPU Threshold Notifications
It is advised to enable Memory and CPU Threshold Notification to generates a log message in order to indicate that free memory on a device has fallen lower than the configured threshold.
# memory free low-watermark processor 204800 # memory free low-watermark io 204800 # memory reserve critical 20480 # process cpu threshold type total rising 80 interval 60 falling 70 interval 60 # process cpu statistics limit entry-percentage 80 size 60 # memory reserve console 4096 # exception memory ignore overflow io # exception memory ignore overflow processor # exception crashinfo maximum files 32
20. Enable Secure Copy and IOS Software Resilient
Cisco router also relies on SSH to supports the Secure Copy Protocol (SCP), which allows an encrypted and secure connection in order to copy device configurations or software images.
It is a security best practice to securely store a copy of the Cisco router software image and device configuration that is currently used by a Cisco router device.
# ip scp server enable # copy scp://firstname.lastname@example.org/home/techspacekh/file.txt flash: # configuration mode exclusive auto # secure boot-image # secure boot-config
21. Device Authentication, Authorization, and Accounting
Tacacs+ is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices instead of using local user accounts. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.
To configure AAA, Authentication, Authorization, and Accounting on Cisco router, Please refer to the following link.
Now you have just done the security hardening for the newly installed Cisco router and it should be enough for it to be ready for any services and configuration such as routing protocols or other services. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.