Wednesday, August 30, 2006

Cisco IOS Hardening

When I started at my current job, the various Cisco gear (routers, switches, firewalls, APs), as is usual in a small-but-growing-fast company, had a variety of configuration standards, IOS versions and access policies. So one of the first things I did was tidy up the standard part of the configs, such as banners, SNMP, NTP and remote access (Telnet/SSH) access. Happily, most of this kind of thing is pretty much boilerplate these days, and I'd done it previously (in another job), so it was quite quick to implement.

I've published it below, for your own use, but remember to test anything before deploying it.

References and source material for the template include:

Secure IOS template at Cymru.com
US National Security Agency Secure Configuration Guides
The O'Reilly Hardening Cisco Routers book
Plus the Cisco website

Some stuff that is recommended to be disabled, such as SNMP and CDP, I leave running. Less secure overall, but I think that is offset by usefulness. You can go further than I have, and secure NTP traffic for example, and I haven't mentioned securing routing protocols (OSPF, EIGRP).

Nor have I mentioned that we offload local access authentication to RADIUS - I'll save that for another day.

The template:

###########################################################################
#
# Secure IOS Template
#
# The Network Guy 2005,2006,2007,2008.
#
# You are free to use this template, but you use it at
# your own risk. Test before deploy.
# You have been warned.
# IF IN DOUBT - RTFM (http://www.cisco.com/univercd/home/home.htm)
#
###########################################################################
#
# GLOBAL COMMANDS
#
# Turn off non-required services
#
no service tcp-small-servers
no service udp-small-servers
no ip bootp server
no ip finger
no ip source-route
no ip gratuitous-arps
no service finger
no service config
no boot host
no boot network
no boot system
no service pad
no ip http server
no ip domain-lookup
###########################################################################
# Miscellaneous
######
# Set enable secret password
enable secret
######
# allow the zero subnet as host
ip subnet-zero
######
# stop icmp flood attacks using rate limiting
ip icmp rate-limit unreachable 1000
######
# stop syn-flood attacks by timing out orphaned syns after 10s
ip tcp synwait-time 10
######
# Stop any single process from hogging CPU
scheduler interval
scheduler allocate
######
# Generate tcp keepalive packets
service tcp-keepalives-in
service tcp-keepalives-out
######
# Ensure copious timestamp info
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
######
# Ensure passwords are encrypted by default
service password-encryption
######
# Turn on multicast
ip multicast-routing
#
######
# Enable SSH access - note I specifiy 1024 bit key gen -
# SSH client PUTTY don't like the default 512 bit
#
ip domain-name
crypto key generate rsa
1024
ip ssh time-out 60
ip ssh authentication-retries 2
######
# ensure a local username of last resort is configured
username admin priv 15 password
###########################################################################
# Logging Details
#
logging
logging
logging facility local7
logging trap informational
logging history warning
logging buffered 100000 notifications
###########################################################################
# SNMP Details
# Annoyingly, in 12.2 IOS on Catalyst 6500 switches
# you have to use numbered ACL to secure SNMP
# See ACL section below
#
snmp-server community ro
snmp-server community rw
snmp-server ifindex persist
snmp-server trap-source loopback0
snmp-server enable traps
snmp-server host
#
###########################################################################
# Secure Banners
# Banner below is 'best practice' secure from NSA
#
#
banner login %

*** WARNING ***

If has not authorised your access to this system, you
will be committing an offence under the Computer Misuse Act
1990 if you attempt to proceed.

Authorised users may access only such systems and
information as they need in the course of their work for
. All other actions are unauthorised.

UNAUTHORISED ACCESS IS STRICTLY PROHIBITED

Any unauthorised access will be considered an act of gross
misconduct and will render you liable to disciplinary action,
possibly including dismissal and/or prosecution.





%
###########################################################################
# Logs are no good if every device has a different timestamp -
# Use NTP
# Set timezone (for the UK) and clock details
# Set NTP Servers
#
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
ntp server
ntp server
#
#################################################################
#
# Access Lists
#
######
# Which hosts are allowed to access this device
ip access-list standard mgmt-access
permit
permit host
# Same but numbered
ip access-list 97 permit
ip access-list 97 permit host
#
######
#
# Which hosts can telnet in as a last resort
ip access-list standard mgmt-access-last-resort
permit host
permit host
# Same but numbered
ip access-list 98 permit
ip access-list 98 permit host
######
#
# Deny any access list - used to stop stuff leaving the router
ip access-list extended deny-all
deny ip any any log
#
# Same, but numbered.
access-list 99 deny any log
######
#
#################################################################
#
# Secure access to the actual device
#
######
# Secure the console
#
line con 0
password
exec-timeout 5 0
logging synchronous
escape-character 23
login
######
# Secure the VTY terminals
#
line vty 0 3
password
access-class mgmt-access in
access-class deny-all out
exec-timeout 10 0
logging synchronous
transport input telnet ssh
escape-character 23
login
#
# Create an emergency VTY terminal
#
line vty 4
password
access-class mgmt-access-last-resort in
access-class deny-all out
exec-timeout 10 0
logging synchronous
transport input telnet ssh
escape-character 23
login
######
###########################################################################
# Disable potentially malicious services per interface (inc. physical, VLAN, loopback)
# To be applied to all LAN, WAN and logical ports
#
#
Interface
no ip proxy-arp
no ip unreachables
no ip redirects
no ip mask-reply
no ip directed-broadcast
###########################################################################