After hearing about Fyodor's scanning the Internet project, I started thinking about what he found...My reaction was much the same as Paul's...Telnet??? Really? Then I started thinking about the work I did back in the day when I was dangerously unqualified to do my job and had no idea what I was doing, and how many Cisco routers I left telnet open on the WAN interface simply for convenience. Over the years, I've found most consulting companies do this without telling the customer, and if you're using an outside vendor to manage your Cisco gear, I would check! Having had to do quite a bit of router securing lately, I thought this would be a good time to cover some really simple ways to secure your routers for the non-Cisco guys out there, other than the obvious firmware updates and such. All of these methods should work on the more recent versions of the IOS. This post will cover some very basic router security methods. There is a real science to securing Cisco IOS devices, and it's certainly possible to make your router security scheme very complex, but hopefully this gives you a good starting point if you're not already doing these things.
Adding Local Users
One of the simplest ways to lock down your Cisco gear is by adding a local authentication database to your router. This is something that Cisco simply doesn't stress enough. Even if you go through their CCNA training, they teach you there's a password to log in (telnet, console, etc.) and the enable password, both of which are subject to brute forcing...But think about how much more secure your gear is if an attacker has to guess both a username and a password. It would certainly render brute forcing impossible. Here's a simple example:
Larry(config)#aaa new-model
Larry(config)#username Larry privilege 15 password beer
Larry(config)#aaa authentication login default local
Looking at what we did, we first enabled authentication, authorization, and accounting services on our router. We then created a user named Larry with a password of beer that has a privilege level of 15. We then set the default login method for all management on the router to use the local database (i.e. usernames and passwords we create on the router itself). Now when telnetting in, connecting via a console cable, SSH, whatever, the user must present two sets of credentials. Of course if you make the username admin, cisco, etc. then this isn't a whole lot better, but using an uncommon username and password helps. You can do a lot more with creating limited privilege user accounts, custom views, authenticating and authorizing command execution via TACACS+ and RADIUS, and password policies but that's beyond the scope of this post.
Enabling SSH
Solving the problem of telnet's plain text transmission is actually quite simple. Before starting make sure you are on IOS version 12.1(19)E because that's the first revision that supports SSHv2. Enabling SSH on a router requires two lines:
Larry(config)#ip domain-name pauldotcom.com
Larry(config)#crypto key generate rsa modulus 1024 general-keys
The name for the keys will be: Larry.pauldotcom.com
% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
Larry(config)#*Mar 1 00:19:52.391: %SSH-5-ENABLED: SSH 1.99 has been enabled
First we have to specify a domain name using the ip domain-name command so our router has an FQDN, then generate our keys. You can specify whatever key size you want (I used 1024 in the above example). After that SSH is automatically turned on for you. To get rid of telnet management completely, we have to do one more thing:
Larry(config)#line vty 0 4
Larry(config-line)#transport input ssh
Router Auto Secure
Cisco routers have lots of services running on them, most of them totally useless. Cisco has now provided an easy way to disable these services and enhance the security of your router in a number of ways with one command. Also if you use Cisco Secure Device Manager (SDM) for router management, it features a security audit tool and a one click lockdown tool for disabling these services. I'm still a console guy though, so I like this method. Look at how much useless stuff is turned off just after the first step, and how much you get by running one simple command:
Larry#auto secure
Is this router connected to internet? [no]:
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Finger? Come on. There wizard does a lot more, allowing you to set your login banner (and providing a pretty scary default one), configure an enable secret, set up blocking periods when login attacks are detected, and enabling the CBAC firewall.
So there you have it. I hope this was interesting, and be sure to find me lurking around #pauldotcom if you have any questions or comments.
Friday, October 3, 2008
Subscribe to:
Post Comments (Atom)
3 comments:
This is a great tutorial for newer Cisco administrators. This shows just how easy it can be to turn on the security features in Cisco IOS.
I would like to add that most Cisco products don't come with all of the security options activated for use. If administrators leave the software completely at it's factory default it's probably missing some security features.
Several products have to be activated or upgraded to use 3DES or AES encryption. If you want the SSH and auto secure features you must make sure you are using the IOS images that have cryptography built in.
Most of the time this isn't included in the default IOS in Cisco switches leaving only telnet for administration. This leaves a very weak architecture for Cisco environments that don't immediately upgrade their IOS images to the ones that support cryptographic features.
Great comments! That is true...Many routers will need the IOS with the crypto feature sets. I've found most of the newer ones, particularly the ISRs, are coming with the correct IOS images on them to enable SSH, but that's a very valid point for the legacy routers that probably haven't been touched since installation. Thanks for the thoughts!
Good post. Nipper is a good free auditing tool to check many of the mistakes that people make when configuring their Cisco equipment. It can process configs from several other products beyond Cisco as well. It flags findings and give corrective actions.
Post a Comment