using BOOTP to generate DoS attacks.
HTTP: Disabling this service prevents attackers from
accessing the HTTP router administrative access
interface. Identification: Disabling this
service prevents attackers from querying TCP ports for
identification. NTP: Disabling this service
prevents attackers from corrupting router time bases.
Source routing: Disabling this service prevents
attackers from using source routing for malicious
purposes. Gratuitous ARPs: Disabling
gratuitous ARPs prevents the router from broadcasting the IP
address of the router interfaces. Essentially,
AutoSecure disables the most common attack vectors by shutting
down the attacks’ associated global router services. The global
services listed are high-risk attack vectors. AutoSecure
enables the following router global services: -
Service password encryption: Automatically encrypts all
passwords in the router configuration
- TCP
keepalives in and out: Allows the router to quickly clean
up idle TCP sessions
AutoSecure Step 3: Creating
Security Banner
Next, AutoSecure prompts you to create
a banner that appears every time someone accesses the router.
Figure shows the default banner. Creating a banner here is the
same as using the banner command in global configuration mode.
AutoSecure Step 4: Passwords and AAA
Next,
AutoSecure proceeds to the configuration of login
functionality. AutoSecure prompts you to configure the
following as shown in Figure : - Enable secret:
AutoSecure checks to see if the router’s enable secret password
is the same as the enable password or if this password is not
configured at all. If either is true, you are prompted to enter
a new enable secret password.
- AAA local
authentication: AutoSecure checks to see if AAA local
authentication is enabled and if a local user account exists.
If neither is true, you are prompted to enter a new username
and password. Then, AAA local authentication is enabled.
AutoSecure also configures the router console, aux, and vty
lines for local authentication, EXEC timeouts, and
transport.
When securing the device against login
attacks, you specify the following: - Duration of time
in which login attempts are denied (also known as a quiet
period, specified in seconds)
- Maximum number of
failed login attempts that triggers the quiet period
-
Duration of time in which the allowed number of failed login
attempts must be made before the blocking period is
triggered
AutoSecure Step 5: SSH and
Interface-Specific Services
Next, AutoSecure proceeds
to the SSH functionality and to interface-specific options as
shown in Figure . AutoSecure asks whether you want to configure
the SSH server. If you answer “yes,” AutoSecure automatically
configures the SSH timeout to 60 seconds and the number of SSH
authentication retries to two: - Hostname: If
you configured a hostname for this router prior to starting the
AutoSecure procedure, AutoSecure does not prompt you to enter
one here. However, if the router is currently using the factory
default hostname of Router, AutoSecure does prompt you
to enter a unique hostname as shown in the figure. The hostname
is important because SSH requires a unique hostname for key
generation.
- Domain name: AutoSecure prompts
you for the domain that this router belongs to. Like the
hostname parameter, a domain name is important for SSH key
generation.
During this step, AutoSecure
automatically disables the following services on all router
interfaces: - IP redirects
- IP proxy ARP
- IP unreachables
- IP directed-broadcast
-
IP mask replies and disables MOP on Ethernet interfaces
AutoSecure Step 6: Forwarding Plane, Verification, and
Deployment
Next, AutoSecure secures the router
forwarding plane as shown in Figure . AutoSecure secures the
router forwarding plane by completing the following: -
Enables Cisco Express Forwarding (CEF): AutoSecure
enables CEF (or distributed CEF) if the router platform
supports this type of caching. Routers configured for CEF
perform better under SYN flood attacks (directed at hosts, not
the routers themselves) than routers configured using a
standard cache.
- Enables Unicast Reverse Path
Forwarding (RPF) (only if the router supports this
feature): AutoSecure automatically configures strict
Unicast RPF on all interfaces that are connected to the
Internet. This configuration helps drop any source-spoofed
packets.
Note
Unicast RPF is an antispoof
feature that scans the routing table information to detect and
possibly block spoofed IP packets. When an incoming packet
arrives on an interface, the router checks the routing entry
for the source IP address of the packet. If the route points to
the same interface, the packet is accepted. If the packet
arrived on a different interface, the packet may have been
spoofed and is the router drops the packet. -
Configures the Context-Based Access Control (CBAC) Firewall
feature: AutoSecure asks if you want to enable generic CBAC
inspection rules on all interfaces connected to the Internet.
If you answer “yes,” a set of generic inspection rules is
assigned to Internet-facing router interfaces.
Content 5.4 Disabling Unused Cisco Router Network
Services and Interfaces 5.4.5 Display
AutoSecure Configuration Finally, AutoSecure displays the
changes that will be applied to the router running
configuration. If you now wish to apply these changes, answer
“Yes” to the “Apply this configuration to running-config?”
question. The series of nine Figures to show examples of how
this portion of the AutoSecure dialogue appears. -
Starting at Figure , this is the configuration generated.
- In this example, AutoSecure disables several router global
services considered to be possible attack vectors, and enables
other global services that help protect the router and the
network.
- Next, AutoSecure creates a banner to be
displayed upon any access to the router. This banner message
contains the text you provided during the AutoSecure
script.
- Here AutoSecure sets a minimum password
length of 6 characters. You are not prompted to do this in the
AutoSecure script. This is performed automatically by
AutoSecure.
- AutoSecure configures an authentication
failure rate of ten. This rate allows a user ten failed login
attempts before the router sends an authentication failure
event to the logger (router log or syslog server). You are not
prompted to specify this rate in the AutoSecure script. This is
performed automatically by AutoSecure.
-
Figure shows the next portion of the AutoSecure dialogue:
- AutoSecure configures the enable secret and enable
password that you specified during the AutoSecure script.
Enable secret uses an MD-5 hashing mechanism (denoted by the
number “5”). Enable password uses a weak encryption method
denoted by the number “7.”
- AutoSecure enables local
AAA authentication.
- Configure console line 0,
auxiliary line 0, and vty lines 0 through 4 for local
authentication, an EXEC session timeout, and outgoing Telnet
connections.
- AutoSecure configures login
security.
- Figure continues to illustrate
the AutoSecure generated configuration:
- AutoSecure
configures the hostname and domain name. These values are
mandatory for the subsequent key generation, which enables SSH
access to the router. SSH optional settings are configured.
AutoSecure configures vty lines 0 through 4 to support both SSH
and Telnet incoming connections.
- Note that Telnet was
previously configured for the vty lines. This step adds SSH to
the list of possible incoming connection types.
-
AutoSecure configures logging parameters.
- Then, Figure shows the per-interface services the