CCIE or Null!

My journey to CCIE!

Let’s Look at: 1 Step Router Lock down.

with one comment

In my CCNA: Security studies one thing they go over is the 1 Step Lockdown. So I loaded up a spare router started up the SDM and ran through the 1 Step Lockdown.


Launch Scree of the Cisco SDM

Cisco SDM loading.


Now every time I use the SDM I always enable the option to see the IOS commands before they are delivered to the router. I do this for a few reasons, One to go over the commands and make sure they will not interfere with anything already running on my network, and Two it leads to some good learning. Below you find the IOS commands used by 1 Step Router Lockdown:

aaa authentication login local_authen local
aaa authorization exec local_author local

The above statements, simply creates a custom aaa authentication and authorization database to authenticate against, while this is nice for only a few routers, larger deployments would ideally need a tacacs+/radius server for a single point for AAA.

no snmp-server

As you can guess this turns off SNMP, not too sure why. I am a big fan of SNMP with my SolarWinds NPM console, however I only use SNMPv3 (Auth&Priv)  on my networking equipment

line vty 0 4
login authentication local_authen
authorization exec local_author
exec-timeout 10 0
line vty 5 15
login authentication local_authen
authorization exec local_author
line con 0
login authentication local_authen
line aux 0
login authentication local_authen

The above statements simply configure the management interfaces to authenticate to the custom aaa database created earlier. Also notice the exec-timeout to disconnect idle connections and the authorization statements pointing to custom AAA database as well.

no service pad

Service-pad is used in X.25 networks, so this a service that can be turned off if it is not being used in your network.

service tcp-keepalives-in
service tcp-keepalives-out

The above statements will actually prevent hung telnet sessions, of course telnet sessions can always be manually closed from within the router’s CLI, but I suppose this good if you ever lose connection to router with an open telnet session going, after all running out of vty lines would be pretty embarrassing.

no ip bootp server

Here we disable bootp. This goes back to concept of disabling unneeded services.

service sequence-numbers

This is just a logging command so your log entries are numbered, not a must but useful.

service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone

Here was some more logging parameters, so both debug and log entries will have a date/time stamp going down to the seconds. Very useful indeed, just make sure you have some type of NTP sync going on to keep it all in check.

ip tcp synwait-time 10

The above command sets the amount of the router will wait before it establishes a TCP connection. The default time is 30, the 1 step lockdown simply lowers the interval.

no cdp run

The above, is a common sense command in my opinion and should be applied on outside interfaces or if you do not have any neighboring Cisco devices, since this information is Cisco proprietary. You might also want to disable LLDP, Link Layer Discovery Protocol which like CDP for non-Cisco devices.

security authentication failure rate 3 log
security passwords min-length 6

The above simply sets the router to log 3 consecutive authentication failures, as well as sets the minimum password length on the device. Pretty common security practices.

ip ssh time-out 60
ip ssh authentication-retries 2

As you can guess this sets an SSH timeout as well as the amount of times someone can try to authenticate via SSH.

banner login ~Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!

You must have a login banner, it’s a necessity and in case you don’t have one, the 1 Step lockdown will make sure you do. Not much to say here.

logging console critical
logging trap debugging
logging buffered 51200 debugging

Not much of a security configuration here, but a little bit of logging is always nice to have. Although considering we set the router to log unsuccessful login attempts, we probably do want to view them. Of course for large deployments you would want a Syslog server to send traps to.

interface Serial0/1/1:1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow

Here we have the router locking down a Serial interface, the router I used for this test had a HWIC card for a T-1 Connection. Proxy Arp is suspectable to Man-in-the-middle attacks since a device can send out a gratuitous arp and say it is another device like the default gateway at which point devices will send its data to the fake device where is can be capture or dropped, however proxy arp is also used in some layer 3 redundancy protocols, so that is something to keep in mind. Turning off ip redirects prevents the router from sending out ICMP redirect packets, which an attacker could use to initiate a DoS attack. Turning off ip unreachables will prevent any unreachable ICMP packets from coming from the router, however you can also set an interval with a max rate at which the router will send back icmp unreachable packets with the command ip icmp rate-limit unreachable [internval in ms] similar to disabling ip redirects a DoS could be launched against the router using these packets. Remember though unreachable packets are legitimately used for troubleshooting purposes. Issuing the ip route-cache flow command will enable Netflow  and give you some more detailed information of the traffic going through your network, after Netflow is enabled, let it run for a bit and then issue the show ip cache flow command, and the router will display a table with the amount of traffic per protocol as well as source/dest IP of clients and the ports they are communicating over. I will go more detailed into NetFlow as well as NBAR in a future post.

interface FastEthernet0/1
no ip proxy-arp
no ip redirects
no ip unreachables
ip route-cache flow
no mop enabled

The ethernet interfaces are locked down very similar to the Serial interfaces with the exception of the no mop enable command, which disables the Maintenance Operational Protocol, which was used by some dumb terminals running on DECNet. Another un-needed service.

Well, that covers the 1 Step router lock down, that is built into the Cisco SDM, and now that we have taken a look at it, there really isn’t anything too magical about it is there now? Cisco also offers a Cisco Guide to harden Cisco IOS devices guide, which covers everything I’ve mentioned here as well as much much more. Just keep in mind this 1 step lock down is a good starting point, but there is much more to be down to run a secure network.

Note: I am not a fan of the SDM, and I am also aware the SDM is now EoL, being replaced by the CCP Cisco Configuration Professional, I am only referring to the SDM for the sake of the CCNA: Security Certification Exam, and you can be sure I will be commenting that on every SDM question I get.

Written by Stephen J. Occhiogrosso

September 29, 2010 at 1:20 AM

One Response

Subscribe to comments with RSS.

  1. […] devices then you might as well disable CDP on the device, see my previous post concerning the 1-step router lockdown, concerning some basic security practices. GA_googleAddAttr("AdOpt", "1"); […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: