Let’s Look at: 1 Step Router Lock down.
In my CCNA: Security studies one thing they go over is the 1 Step Lockdown. So I loaded up a spare router started up the SDM and ran through the 1 Step Lockdown.
Now every time I use the SDM I always enable the option to see the IOS commands before they are delivered to the router. I do this for a few reasons, One to go over the commands and make sure they will not interfere with anything already running on my network, and Two it leads to some good learning. Below you find the IOS commands used by 1 Step Router Lockdown:
aaa authentication login local_authen localaaa authorization exec local_author local
The above statements, simply creates a custom aaa authentication and authorization database to authenticate against, while this is nice for only a few routers, larger deployments would ideally need a tacacs+/radius server for a single point for AAA.
As you can guess this turns off SNMP, not too sure why. I am a big fan of SNMP with my SolarWinds NPM console, however I only use SNMPv3 (Auth&Priv) on my networking equipment
line vty 0 4login authentication local_authenauthorization exec local_authorexec-timeout 10 0exitline vty 5 15login authentication local_authenauthorization exec local_authorexitline con 0login authentication local_authenexitline aux 0login authentication local_authenexit
The above statements simply configure the management interfaces to authenticate to the custom aaa database created earlier. Also notice the exec-timeout to disconnect idle connections and the authorization statements pointing to custom AAA database as well.
no service pad
Service-pad is used in X.25 networks, so this a service that can be turned off if it is not being used in your network.
service tcp-keepalives-inservice tcp-keepalives-out
The above statements will actually prevent hung telnet sessions, of course telnet sessions can always be manually closed from within the router’s CLI, but I suppose this good if you ever lose connection to router with an open telnet session going, after all running out of vty lines would be pretty embarrassing.
no ip bootp server
Here we disable bootp. This goes back to concept of disabling unneeded services.
This is just a logging command so your log entries are numbered, not a must but useful.
service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezone
Here was some more logging parameters, so both debug and log entries will have a date/time stamp going down to the seconds. Very useful indeed, just make sure you have some type of NTP sync going on to keep it all in check.
ip tcp synwait-time 10
The above command sets the amount of the router will wait before it establishes a TCP connection. The default time is 30, the 1 step lockdown simply lowers the interval.
no cdp run
The above, is a common sense command in my opinion and should be applied on outside interfaces or if you do not have any neighboring Cisco devices, since this information is Cisco proprietary. You might also want to disable LLDP, Link Layer Discovery Protocol which like CDP for non-Cisco devices.
security authentication failure rate 3 logsecurity passwords min-length 6
The above simply sets the router to log 3 consecutive authentication failures, as well as sets the minimum password length on the device. Pretty common security practices.
ip ssh time-out 60ip ssh authentication-retries 2
As you can guess this sets an SSH timeout as well as the amount of times someone can try to authenticate via SSH.
banner login ~Authorized access only!Disconnect IMMEDIATELY if you are not an authorized user!~
You must have a login banner, it’s a necessity and in case you don’t have one, the 1 Step lockdown will make sure you do. Not much to say here.
logging console criticallogging trap debugginglogging buffered 51200 debugging
Not much of a security configuration here, but a little bit of logging is always nice to have. Although considering we set the router to log unsuccessful login attempts, we probably do want to view them. Of course for large deployments you would want a Syslog server to send traps to.
interface Serial0/1/1:1no ip proxy-arpno ip redirectsno ip unreachablesip route-cache flowexit
Here we have the router locking down a Serial interface, the router I used for this test had a HWIC card for a T-1 Connection. Proxy Arp is suspectable to Man-in-the-middle attacks since a device can send out a gratuitous arp and say it is another device like the default gateway at which point devices will send its data to the fake device where is can be capture or dropped, however proxy arp is also used in some layer 3 redundancy protocols, so that is something to keep in mind. Turning off ip redirects prevents the router from sending out ICMP redirect packets, which an attacker could use to initiate a DoS attack. Turning off ip unreachables will prevent any unreachable ICMP packets from coming from the router, however you can also set an interval with a max rate at which the router will send back icmp unreachable packets with the command ip icmp rate-limit unreachable [internval in ms] similar to disabling ip redirects a DoS could be launched against the router using these packets. Remember though unreachable packets are legitimately used for troubleshooting purposes. Issuing the ip route-cache flow command will enable Netflow and give you some more detailed information of the traffic going through your network, after Netflow is enabled, let it run for a bit and then issue the show ip cache flow command, and the router will display a table with the amount of traffic per protocol as well as source/dest IP of clients and the ports they are communicating over. I will go more detailed into NetFlow as well as NBAR in a future post.
interface FastEthernet0/1no ip proxy-arpno ip redirectsno ip unreachablesip route-cache flowno mop enabledexit
The ethernet interfaces are locked down very similar to the Serial interfaces with the exception of the no mop enable command, which disables the Maintenance Operational Protocol, which was used by some dumb terminals running on DECNet. Another un-needed service.
Well, that covers the 1 Step router lock down, that is built into the Cisco SDM, and now that we have taken a look at it, there really isn’t anything too magical about it is there now? Cisco also offers a Cisco Guide to harden Cisco IOS devices guide, which covers everything I’ve mentioned here as well as much much more. Just keep in mind this 1 step lock down is a good starting point, but there is much more to be down to run a secure network.
Note: I am not a fan of the SDM, and I am also aware the SDM is now EoL, being replaced by the CCP Cisco Configuration Professional, I am only referring to the SDM for the sake of the CCNA: Security Certification Exam, and you can be sure I will be commenting that on every SDM question I get.