using BOOTP to generate DoS attacks.

HTTP: Disabling this service prevents attackers from accessing the HTTP router administrative access interface.

Identification: Disabling this service prevents attackers from querying TCP ports for identification.

NTP: Disabling this service prevents attackers from corrupting router time bases.

Source routing: Disabling this service prevents attackers from using source routing for malicious purposes.

Gratuitous ARPs: Disabling gratuitous ARPs prevents the router from broadcasting the IP address of the router interfaces.

Essentially, AutoSecure disables the most common attack vectors by shutting down the attacks’ associated global router services. The global services listed are high-risk attack vectors. AutoSecure enables the following router global services:

• Service password encryption: Automatically encrypts all passwords in the router configuration
• TCP keepalives in and out: Allows the router to quickly clean up idle TCP sessions

AutoSecure Step 3: Creating Security Banner
Next, AutoSecure prompts you to create a banner that appears every time someone accesses the router. Figure shows the default banner. Creating a banner here is the same as using the banner command in global configuration mode. AutoSecure Step 4: Passwords and AAA
Next, AutoSecure proceeds to the configuration of login functionality. AutoSecure prompts you to configure the following as shown in Figure :

• Enable secret: AutoSecure checks to see if the router’s enable secret password is the same as the enable password or if this password is not configured at all. If either is true, you are prompted to enter a new enable secret password.
• AAA local authentication: AutoSecure checks to see if AAA local authentication is enabled and if a local user account exists. If neither is true, you are prompted to enter a new username and password. Then, AAA local authentication is enabled. AutoSecure also configures the router console, aux, and vty lines for local authentication, EXEC timeouts, and transport.

When securing the device against login attacks, you specify the following:

• Duration of time in which login attempts are denied (also known as a quiet period, specified in seconds)
• Maximum number of failed login attempts that triggers the quiet period
• Duration of time in which the allowed number of failed login attempts must be made before the blocking period is triggered

AutoSecure Step 5: SSH and Interface-Specific Services
Next, AutoSecure proceeds to the SSH functionality and to interface-specific options as shown in Figure . AutoSecure asks whether you want to configure the SSH server. If you answer “yes,” AutoSecure automatically configures the SSH timeout to 60 seconds and the number of SSH authentication retries to two:

• Hostname: If you configured a hostname for this router prior to starting the AutoSecure procedure, AutoSecure does not prompt you to enter one here. However, if the router is currently using the factory default hostname of Router, AutoSecure does prompt you to enter a unique hostname as shown in the figure. The hostname is important because SSH requires a unique hostname for key generation.
• Domain name: AutoSecure prompts you for the domain that this router belongs to. Like the hostname parameter, a domain name is important for SSH key generation.

During this step, AutoSecure automatically disables the following services on all router interfaces:

• IP redirects
• IP proxy ARP
• IP unreachables
• IP directed-broadcast
• IP mask replies and disables MOP on Ethernet interfaces

AutoSecure Step 6: Forwarding Plane, Verification, and Deployment
Next, AutoSecure secures the router forwarding plane as shown in Figure . AutoSecure secures the router forwarding plane by completing the following:

• Enables Cisco Express Forwarding (CEF): AutoSecure enables CEF (or distributed CEF) if the router platform supports this type of caching. Routers configured for CEF perform better under SYN flood attacks (directed at hosts, not the routers themselves) than routers configured using a standard cache.
• Enables Unicast Reverse Path Forwarding (RPF) (only if the router supports this feature): AutoSecure automatically configures strict Unicast RPF on all interfaces that are connected to the Internet. This configuration helps drop any source-spoofed packets.

Note
Unicast RPF is an antispoof feature that scans the routing table information to detect and possibly block spoofed IP packets. When an incoming packet arrives on an interface, the router checks the routing entry for the source IP address of the packet. If the route points to the same interface, the packet is accepted. If the packet arrived on a different interface, the packet may have been spoofed and is the router drops the packet.

• Configures the Context-Based Access Control (CBAC) Firewall feature: AutoSecure asks if you want to enable generic CBAC inspection rules on all interfaces connected to the Internet. If you answer “yes,” a set of generic inspection rules is assigned to Internet-facing router interfaces.

---

Content 5.4 Disabling Unused Cisco Router Network Services and Interfaces 5.4.5 Display AutoSecure Configuration Finally, AutoSecure displays the changes that will be applied to the router running configuration. If you now wish to apply these changes, answer “Yes” to the “Apply this configuration to running-config?” question. The series of nine Figures to show examples of how this portion of the AutoSecure dialogue appears.

• Starting at Figure , this is the configuration generated.
  • In this example, AutoSecure disables several router global services considered to be possible attack vectors, and enables other global services that help protect the router and the network.
  • Next, AutoSecure creates a banner to be displayed upon any access to the router. This banner message contains the text you provided during the AutoSecure script.
  • Here AutoSecure sets a minimum password length of 6 characters. You are not prompted to do this in the AutoSecure script. This is performed automatically by AutoSecure.
  • AutoSecure configures an authentication failure rate of ten. This rate allows a user ten failed login attempts before the router sends an authentication failure event to the logger (router log or syslog server). You are not prompted to specify this rate in the AutoSecure script. This is performed automatically by AutoSecure.
• Figure shows the next portion of the AutoSecure dialogue:
  • AutoSecure configures the enable secret and enable password that you specified during the AutoSecure script. Enable secret uses an MD-5 hashing mechanism (denoted by the number “5”). Enable password uses a weak encryption method denoted by the number “7.”
  • AutoSecure enables local AAA authentication.
  • Configure console line 0, auxiliary line 0, and vty lines 0 through 4 for local authentication, an EXEC session timeout, and outgoing Telnet connections.
  • AutoSecure configures login security.
• Figure continues to illustrate the AutoSecure generated configuration:
  • AutoSecure configures the hostname and domain name. These values are mandatory for the subsequent key generation, which enables SSH access to the router. SSH optional settings are configured. AutoSecure configures vty lines 0 through 4 to support both SSH and Telnet incoming connections.
  • Note that Telnet was previously configured for the vty lines. This step adds SSH to the list of possible incoming connection types.
  • AutoSecure configures logging parameters.
• Then, Figure shows the per-interface services the