globally to manage TCP connections and prevent
certain DoS attacks. Gratuitous and proxy
Address Resolution Protocol (ARP): - Gratuitous
ARP: This service is enabled by default. Gratuitous ARP is
the main mechanism that hackers use in ARP poisoning attacks.
You should disable gratuitous ARPs on each router interface
unless this service is otherwise needed.
- Proxy
ARP: This service is enabled by default. This feature
configures the router to act as a proxy for Layer 2 address
resolution. This service should be disabled unless the router
is being used as a LAN bridge.
IP
directed broadcast: This service is enabled in Cisco IOS
software releases prior to Cisco IOS Release 12.0 and disabled
in Cisco IOS Release 12.0 and later. IP directed broadcasts are
used in the common and popular smurf DoS attack and other
related attacks. Disable this service when not required.
Router Hardening Considerations
Leaving unused
network services running increases the possibility of malicious
exploitation of those services. Turning off or restricting
access to these services greatly improves network security.
While you are not required to explain why many of these
services pose the vulnerabilities that they do, you do need to
know how and when the services need to be disabled. The manual
process of disabling the services individually is lengthy and
error prone because you may overlook some unneeded services
that should be disabled. As a result, the manual disabling of
services may leave the router vulnerable. Figure lists
considerations for hardening routers. AutoSecure, described in
the next topic, helps you to secure your Cisco router.
Content 5.4 Disabling Unused Cisco Router Network
Services and Interfaces 5.4.2 Locking Down
Routers with AutoSecure The AutoSecure feature was released
in Cisco IOS Release 12.3 and later. AutoSecure is a single
privileged EXEC program that allows you to eliminate many
potential security threats quickly and easily. AutoSecure helps
to make you more efficient at securing Cisco routers. Figure
lists functions that AutoSecure can do. AutoSecure Operation
Modes
AutoSecure allows two modes of operation as shown
in Figure : - Interactive mode: Prompts you to
choose the way you want to configure router services and other
security-related features
- Noninteractive
mode: Configures security-related features on your router
based on a set of Cisco defaults
Interactive mode
provides greater control over the router security-related
features than noninteractive mode does. However, when you want
to quickly secure a router without much human intervention,
noninteractive mode becomes the better choice. You can enable
noninteractive portions of the dialogue by selecting the
optional no-interact keyword. AutoSecure Functions
AutoSecure allows you to choose which router components to
secure. You may want to secure the entire router functionality
or select individual planes or functions. The selectable
components are the management plane, forwarding plane,
firewall, login, NTP, and SSH. Figure lists key AutoSecure
Functions. The management plane includes management services,
such as finger, PAD, UDP and TCP small servers, password
encryption, TCP keepalives, CDP, BOOTP, HTTP, source routing,
gratuitous ARP, proxy ARP, ICMP (redirects, mask-replies),
directed broadcast, MOP, and banner. This plane also includes
login functions, such as password security and failed login
attempt actions, and SSH access. The forwarding plane hardening
consists of enabling Cisco Express Forwarding (CEF) and
configuring ACLs for traffic filtering. The firewall component
allows you to activate the Cisco IOS Firewall inspection for
common protocols and applications. Login functions include
password configuration and setting options for failed login
attempts. NTP functionality sets up authenticated NTP
connectivity. The SSH feature configures a hostname and a
domain-name (if not configured already) and enables SSH access
to the protected router. TCP Intercept function enables the TCP
intercept feature with default settings. Note
The
full, ntp, login, ssh,
firewall, and tcp-intercept keywords were added
in Cisco IOS Release 12.3(4)T. When using the full
option, the user is prompted for all interactive questions.
AutoSecure Failure Rollback Feature
When AutoSecure
fails to complete the security operation, your running
configuration may be harmed. AutoSecure has a rollback feature
as shown in Figure . You should consider these items to avoid a
configuration loss: - Cisco IOS Release 12.3(8)T
introduced support for rollback of the AutoSecure
configuration. Rollback enables a router to revert back to the
router’s pre-AutoSecure configuration state if the AutoSecure
configuration fails. Additionally, a pre-AutoSecure snapshot is
saved in the router flash memory as pre_autosec.cfg
before AutoSecure applies the configuration to the router. The
administrator can use this saved snapshot to recover initial
router settings.
- To replace the current running
configuration with the configuration file that has been saved
by AutoSecure, use the configure replace command in
privileged EXEC mode.
- Prior to Cisco IOS Release
12.3(8)T, rollback of the AutoSecure configuration was
unavailable. Therefore, you had to save the running
configuration before configuring AutoSecure.
Content 5.4 Disabling Unused Cisco Router Network
Services and Interfaces 5.4.3 AutoSecure
Process Overview Initiate AutoSecure with the auto
secure command in privileged EXEC mode. AutoSecure uses the
syntax shown in Figure to provide a level of granularity. To
secure all components and functions, select the full
option. To avoid configuration prompts, select the
no-interact keyword. AutoSecure configures all functions
and services in the following order: Step 1 Identify
outside interfaces. Step 2 Secure the management
plane. Step 3 Create a security banner. Step 4
Configure passwords, authentication, authorization, and
accounting (AAA), and SSH. Step 5 Secure the interface
settings. Step 6 Secure the forwarding plane. To limit
the scope of hardening, use any of the parameters shown in
Figure .
Content 5.4 Disabling Unused Cisco
Router Network Services and Interfaces 5.4.4
AutoSecure Processing AutoSecure Step 1: Start and
Interface Selection
The first questions that AutoSecure
asks you relate directly to how the router connects to the
Internet. If you do not specify any options, as in the example
shown in Figure , AutoSecure starts in the interactive mode and
proceeds to secure the full scope of services and functions. To
start, AutoSecure needs to know the following: - Is the
router going to be connected to the Internet?
- How
many interfaces are connected to the Internet?
- What
are the names of the interfaces that are connected to the
Internet?
AutoSecure Step 2: Securing Management
Plane Services
Next, AutoSecure disables certain router
global management services. Figure shows the screen that
appears while AutoSecure disables the following services:
- Finger: Disabling this service keeps intruders from
seeing who is logged in to the router and where users are
logged in from.
- PAD: Disabling this service
prevents intruders from accessing the X.25 PAD command set on
the router.
- Small servers: Disabling the UDP
and TCP small servers prevents attackers from using those
services in DoS attacks.
- CDP: Disabling this
service prevents attackers from exploiting any CDP security
vulnerabilities. CDP is a Layer 2 mechanism that you use to
obtain the data about the neighboring Cisco devices.
-
BOOTP: Disabling this service prevents attackers from