When When vulnerabilities are identified that apply to your system and whenever patches and upgrades are applied....
Examine your guidance policies at least annually.
Routers are used to control access, help resist attacks, shield other network components, and help protect the integrity and confidentiality of network traffic.
In an excellent two-page summary, NSA's System and Network Attack Center (SNAC) Router Security Configuration Guide describes quick but effective ways to tighten the security of a Cisco router -- principles that can be applied to all routers, regardless of manufacturer.
- Create and maintain a written router security policy. The policy should identify who is allowed to log in to the router, who is allowed to configure and update it, and should outline the logging and management practices for it.
- Comment and organize offline master editions of your router configuration files. Also, keep the offline copies of all router configurations in sync with the actual configurations running on the routers, invaluable for diagnosing suspected attacks and recovering from them.
- Implement access lists that allow only those protocols, ports and IP addresses that are required by network users and services, and that explicitly deny everything else.
- Run the latest available General Deployment (GD) IOS version.
- Test the security of your routers regularly, especially after any major configuration changes.
Router access recommendations
- Shut down unneeded services on the router. Start by running the show proc command on the router, then turn off clearly unneeded facilities and services. Some servers that should almost always be turned off include: small services (echo, discard, chargen, etc.), BOOTP, Finger, HTTP and SNMP. Services allowing certain packets to pass through the router, or send special packets, or are used for remote router configuration should also be off; these include CDP, remote config and source routing.
- Passwords can be configured more securely. Configure the Enable Secret password protected with an MD5-based algorithm. Also, configure passwords for the console line, the auxiliary line and the virtual terminal lines. Provide basic protection for the user and line passwords using the service passwordencryption command.
- Adopt SSH, if your router supports it, for all remote administration.
Access list recommendations
- Always start an access-list definition with the privileged command no access-list nnn to clear out any previous versions of access list number nnn.
- Enforce traffic address restrictions using access lists. On a border router, allow only internal addresses to enter the router from the internal interfaces, and allow only traffic destined for internal addresses to enter the router from the outside (external interfaces). Block illegal addresses at the outgoing interfaces. Besides preventing an attacker from using the router to attack other sites, it helps identify poorly configured internal hosts or networks. This approach might not work for complicated networks.
- Block packets coming from the outside (untrusted networks) that are obviously fake or have source or destination addresses that are reserved, for example networks 0.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/20 and 192.168.0.0/16. This protection should be part of the overall traffic filtering at the interface attached to the external, untrusted network.
- Block incoming packets that claim to have a source address of any internal (trusted) networks. This impedes TCP sequence number guessing and other attacks. Incorporate this protection into the access lists applied to interfaces facing any untrusted networks.
- Drop incoming packets with loopback addresses, network 127.0.0.0/8; these packets cannot be real.
- If the network doesn't need IP multicast, block multicast packets.
- Block broadcast packets. (Note that this may block DHCP and BOOTP services, but these services shouldn't be used on external interfaces and shouldn't cross border routers.)
- A number of remote probes and attacks use ICMP echo and redirect, and mask request messages, so block them.
- Block incoming packets claiming to have the same destination and source address (i.e. a 'Land' attack on the router itself). Incorporate this protection into the access list used to restrict incoming traffic into each interface.
Logging & debugging recommendations
- Turn on the router's logging capability and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the router blocks syslog traffic from untrusted networks.
- Configure the router to include time information in the logging. Configure at least two different NTP servers to ensure availability of good time information, which allows an administrator to trace network attacks more accurately.
- If your network requires SNMP, then configure an SNMP ACL and hard-to-guess SNMP community strings.
One of the most useful and high-quality lists of Security Technical Implementation Guides (STIG) are at NSA's SNAC Web site. The June 2004 Cisco IOS Switch Security Configuration Guide and summary documents are also available on the site.
Shelley Bard, CISSP, CISM, is a senior security network engineer with Verizon Federal Network Systems (FNS). An information security professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments.
Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.