AutoSecure disables. Figure shows these
steps: - Next, AutoSecure proceeds with securing the
forwarding plane. The first task is to enable CEF.
-
AutoSecure applies the configured ACL in the inbound direction
to the outside interface and enables unicast RPF on that
interface.
- Next, CBAC stateful firewall is turned on
for common protocols and some CBAC settings configured.
Figure shows the final steps: -
AutoSecure configures an ACL to apply to the outside interface
in outbound direction.
- The CBAC inspect list is
applied to the outside interface in the outbound direction.The
outbound ACL is applied to the outside interface inbound
direction.
Content 5.4
Disabling Unused Cisco Router Network Services and
Interfaces 5.4.6 Locking Down Routers with
Cisco SDM Cisco SDM is an intuitive, web-based
device-management tool for Cisco IOS software-based routers.
Cisco SDM simplifies router and security configuration through
smart wizards that help you to quickly and easily deploy,
configure, and monitor a Cisco router without requiring
knowledge of the CLI. Cisco SDM simplifies firewall and Cisco
IOS software configuration without requiring expertise about
security or Cisco IOS software. Figure shows the SDM home
page. Cisco SDM contains a Security Audit wizard that performs
a comprehensive router security audit. Cisco SDM uses security
configurations recommended by Cisco Technical Assistance Center
(TAC) and the International Computer Security Association
(ICSA) as the basis for comparisons and default settings. The
Security Audit wizard assesses the vulnerability of the
existing router and provides quick compliance to best-practice
security policies. SDM can implement almost all of the
configurations that AutoSecure offers with the One-Step
Lockdown feature described in the following section. SDM
Security Audit Overview
The Cisco SDM Security Audit
feature compares router configurations to a predefined
checklist of best practices using ICSA and Cisco TAC
recommendations. Figure shows a summary of audit actions.
Examples of the audit include, but are not limited to, the
following: - Shuts down unneeded servers on the router
(BOOTP, finger, TCP/UDP small servers)
- Shuts down
unneeded services on the router (CDP, IP source-route, IP
classless)
- Applies a firewall to the outside
interfaces
- Disables SNMP or enables SNMP with
hard-to-guess community strings
- Shuts down unused
interfaces using the no ip proxy-arp command
- Forces passwords for the router console and vty lines
- Forces an enable secret password
- Enforces the use
of ACLs
SDM Security Audit Options
The
Security Audit wizard contains two options:
- Security Audit: Examines router configuration and
then displays the Report Card window, which shows a list of
possible security problems. You can choose which vulnerability
you would like to lock down.
- One-Step
Lockdown: Initiates the automatic lockdown using
recommended settings.
Complete the following steps
to perform a security audit as shown in Figure : Step
1 Click the Configure icon in the main toolbar at
the top. Step 2 Click the Security Audit icon in
the Tasks toolbar on the left. Step 3 Two wizard
buttons appear; click the Perform security audit
button. SDM Security Audit Wizard
The Security Audit
window shown in Figure opens after clicking Perform security
audit. A welcome page opens describing the functions that the
security audit wizard performs. Click the Next button to
proceed to the next step. SDM Security Audit Interface
Configuration
The Security Audit Interface
Configuration window shown in Figure opens after clicking
Next. In this step, select the inside and outside
interfaces. Then, click the Next button to proceed to
the next step. SDM Security Audit
The Security Audit
wizard tests your router configuration to determine whether any
security vulnerabilities exist and then presents a report.
Vulnerable items are marked with a red X. After viewing the
report, which will be similar to the report shown in Figure ,
you have the option of saving the report as a file. Click
Save Report if you want to save the report, and then
click the Close button to close the window and proceed
to the next step. SDM Security Audit: Fix the Security
Problems
Next, a window appears listing the identified
problems, each with a Fix it check box as shown in Figure .
Check the Fix It check boxes next to any problems that
you want Cisco SDM to fix, and then click the Next
button. Additional windows may appear requiring your input,
such as entering a password. Pay special attention to any
warning messages that appear. Make sure that you do not “fix” a
potential security breach and lock yourself out of the router.
Note
For a description of the problem and a list of
the Cisco IOS commands that will be added to your
configuration, click the problem description hyperlinks. A Help
page describing the selected problem appears. SDM Security
Audit: Summary
Next, the SDM Security Audit Summary
window shown in Figure appears. In the example, you can enable
a number of security features on the router. Review the changes
and click Finish to send the changes to the router.
SDM One-Step Lockdown
As shown in Figure , Cisco SDM
provides an easy one-step router lockdown for many security
features. The wizard button is available in the Security
Audit task under the Configure tab. Click the
One-step lockdown button to launch the One-Step Lockdown
wizard shown in Figure . Cisco SDM provides an easy one-step
router lockdown for many security features. In many ways, this
wizard is similar in concept to AutoSecure. This option tests
the router configuration for any potential security problems
and automatically makes any necessary configuration changes to
correct the problems that the wizard finds. The conditions
tested and, if needed, corrected are as follows:
- Disable Finger Service
- Disable PAD Service
- Disable TCP Small Servers Service
- Disable UDP
Small Servers Service
- Disable IP BOOTP Server
Service
- Disable IP Identification Service
- Disable CDP
- Disable IP Source Route
- Enable Password Encryption Service
- Enable TCP
Keepalives for Inbound Telnet Sessions
- Enable TCP
Keepalives for Outbound Telnet Sessions
- Enable
Sequence Numbers and Time Stamps on Debugs
- Enable IP
CEF
- Disable IP Gratuitous ARPs
- Set Minimum
Password Length to Less Than Six Characters
- Set
Authentication Failure Rate to Less Than Three Retries
- Set TCP SYN Wait Time
- Set Banner
- Enable
Logging
- Set Enable Secret Password
- Disable
SNMP
- Set Scheduler Interval
- Set Scheduler
Allocate
- Set Users
- Enable Telnet
Settings
- Enable NetFlow Switching
- Disable IP
Redirects
- Disable IP Proxy ARP
- Disable IP
Directed Broadcast
- Disable MOP Service
- Disable IP Unreachables
- Disable IP Mask
Reply
- Disable IP Unreachables on NULL Interface
- Enable Unicast RPF on Outside Interfaces
- Enable
Firewall on All of the Outside Interfaces
- Set Access
Class on HTTP Server Service
- Set Access Class on VTY
Lines
- Enable SSH for Access to the Router
Content 5.5 Securing Cisco Router
Administrative Access 5.5.1 Cisco Router
Passwords Strong passwords are the primary defense against
unauthorized access to your router. The best way to manage
passwords is to maintain them on an AAA server. Almost every
router needs a locally configured password for privileged
access. There may also be other password information in the