Cisco IOS Devices Best Practices - Patrick Denis

31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
CiscoIOSDevicesBestPractices
l admin } September28,2015 v 0Comments
m Cisco,RoutingandSwitching,Security
Thischecklistisacollectionofallthehardeningstepsthatarepresentedinthisguide.Administratorscanuseitasa
reminderofallthehardeningfeaturesusedandconsideredforaCiscoIOSdevice,evenifafeaturewasnotimplemented
becauseitdidnotapply.Administratorsareadvisedtoevaluateeachoptionforitspotentialriskbeforetheyimplementthe
option.
ManagementPlane
Passwords
EnableMD5hashing(secretoption)forenableandlocaluserpasswords
Configurethepasswordretrylockout
Disablepasswordrecovery(considerrisk)
Disableunusedservices
ConfigureTCPkeepalivesformanagementsessions
SetmemoryandCPUthresholdnotifications
Configure
MemoryandCPUthresholdnotifications
Reservememoryforconsoleaccess
Memoryleakdetector
Bufferoverflowdetection
Enhancedcrashinfocollection
UseiACLstorestrictmanagementaccess
Filter(considerrisk)
ICMPpackets
IPfragments
IPoptions
TTLvalueinpackets
ControlPlaneProtection
Configureportfiltering
Configurequeuethresholds
Managementaccess
UseManagementPlaneProtectiontorestrictmanagementinterfaces
Setexectimeout
Useanencryptedtransportprotocol(suchasSSH)forCLIaccess
Controltransportforvtyandttylines(accessclassoption)
Warnusingbanners
AAA
UseAAAforauthenticationandfallback
UseAAA(TACACS+)forcommandauthorization
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 1/22
UseAAAforaccounting
UseredundantAAAservers
SNMP
ConfigureSNMPv2communitiesandapplyACLs
ConfigureSNMPv3
Logging
Configurecentralizedlogging
Setlogginglevelsforallrelevantcomponents
Setloggingsourceinterface
Configureloggingtimestampgranularity
ConfigurationManagement
Replaceandrollback
ExclusiveConfigurationChangeAccess
Softwareresilienceconfiguration
Configurationchangenotifications
ControlPlane
Disable(considerrisk)
ICMPredirects
ICMPunreachables
ProxyARP
ConfigureNTPauthenticationifNTPisbeingused
ConfigureControlPlanePolicing/Protection(portfiltering,queuethresholds)
Secureroutingprotocols
BGP(TTL,MD5,maximumprefixes,prefixlists,systempathACLs)
IGP(MD5,passiveinterface,routefiltering,resourceconsumption)
Configurehardwareratelimiters
SecureFirstHopRedundancyProtocols(GLBP,HSRP,VRRP)
DataPlane
ConfigureIPOptionsSelectiveDrop
Disable(considerrisk)
IPsourcerouting
IPDirectedBroadcasts
ICMPredirects
LimitIPDirectedBroadcasts
ConfiguretACLs(considerrisk)
FilterICMP
FilterIPfragments
FilterIPoptions
FilterTTLvalues
Configurerequiredantispoofingprotections
ACLs
IPSourceGuard
DynamicARPInspection
UnicastRPF
Portsecurity
ControlPlaneProtection(controlplanecefexception)
ConfigureNetFlowandclassificationACLsfortrafficidentification
ConfigurerequiredaccesscontrolACLs(VLANmaps,PACLs,MAC)
ConfigurePrivateVLANs
Thethreefunctionalplanesofanetworkthemanagementplane,controlplane,anddataplaneeachprovidedifferent
functionalitythatneedstobeprotected.
ManagementPlaneThemanagementplanemanagestrafficthatissenttotheCiscoIOSdeviceandismadeupof
applicationsandprotocolssuchasSecureShell(SSH)andSimpleNetworkManagementProtocol(SNMP).
ControlPlaneThecontrolplaneofanetworkdeviceprocessesthetrafficthatisparamounttomaintainthe
functionalityofthenetworkinfrastructure.Thecontrolplaneconsistsofapplicationsandprotocolsbetweennetwork
devices,whichincludestheBorderGatewayProtocol(BGP),aswellastheInteriorGatewayProtocols(IGPs)suchas
theEnhancedInteriorGatewayRoutingProtocol(EIGRP)andOpenShortestPathFirst(OSPF).
DataPlaneThedataplaneforwardsdatathroughanetworkdevice.Thedataplanedoesnotincludetrafficthatissent
tothelocalCiscoIOSdevice.
ManagementPlane
listofprotocolsisusedbythemanagementplane:
SimpleNetworkManagementProtocol
Telnet
SecureShellProtocol
FileTransferProtocol
TrivialFileTransferProtocol
SecureCopyProtocol
TACACS+
RADIUS
NetFlow
NetworkTimeProtocol
Syslog
PasswordManagement
Theenablesecretcommandmustbeused,ratherthantheolderenablepasswordcommand
TheservicepasswordencryptionglobalconfigurationcommanddirectstheCiscoIOSsoftwaretoencryptthepasswords,
EnhancedPasswordSecurity
WiththeUsernamesecretcommand
LoginPasswordRetryLockout
aaanewmodel
aaalocalauthenticationattemptsmaxfail<maxattempts>
aaaauthenticationlogindefaultlocal
username<name>secret<password>
NoServicePasswordRecovery
theNoServicePasswordRecoveryfeaturedoesnotallowanyonewithconsoleaccesstoinsecurelyaccessthedevice
configurationandclearthepassword.Italsodoesnotallowmalicioususerstochangetheconfigurationregistervalueand
accessNVRAM.
noservicepasswordrecovery
DisableUnusedServices
Asasecuritybestpractice,anyunnecessaryservicemustbedisabled
noipfinger
noipbootpserver
ipdhcpbootpignore(disableBOOTP)
noservicedhcp
nomopenabled(disabletheMaintenanceOperationProtocol(MOP)service)
noipdomainlookup
noservicepad(PacketAssembler/Disassembler(PAD)service,whichisusedforX.25networks.)
noiphttpserver
noiphttpsecureserver
nocdpenable(interface)ornocdprun(global)
nolldptransmitandnolldpreceive(interface)ornolldprun(global)
EXECTimeout
linecon0
exectimeout<minutes>[seconds]
linevty04
exectimeout<minutes>[seconds]
KeepalivesforTCPSessions
servicetcpkeepalivesin
servicetcpkeepalivesout
ManagementInterfaceUse
Oneofthemostcommoninterfacesthatisusedforinbandaccesstoadeviceisthelogicalloopbackinterface.Loopback
interfacesarealwaysup,whereasphysicalinterfacescanchangestate,andtheinterfacecanpotentiallynotbeaccessible.
Itisrecommendedtoaddaloopbackinterfacetoeachdeviceasamanagementinterfaceandthatitbeusedexclusively
forthemanagementplane
Oncetheloopbackinterfaceisconfiguredonadevice,itcanbeusedbymanagementplaneprotocols,suchasSSH,
SNMP,andsyslog,inordertosendandreceivetraffic
interfaceLoopback0
ipaddress192.168.1.1255.255.255.0
MemoryThresholdNotifications
memoryfreelowwatermarkprocessor<threshold>
memoryfreelowwatermarkio<threshold>
memoryreservecritical<value>
CPUThresholdingNotification
snmpserverenabletrapscputhreshold
snmpserverhost<hostaddress><communitystring>cpu
processcputhresholdtype<type>rising<percentage>interval<seconds>
[falling<percentage>interval<seconds>]
processcpustatisticslimitentrypercentage<number>[size<seconds>]
ReserveMemoryforConsoleAccess
memoryreserveconsole4096
MemoryLeakDetector
showmemorydebugleaks
BufferOverflow:DetectionandCorrectionofRedzoneCorruption
exceptionmemoryignoreoverflowio
exceptionmemoryignoreoverflowprocessor
Onceconfigured,theshowmemoryoverflowcommand
NetworkTimeProtocol
NTPTimeZone
NTPAuthentication
LimitAccesstotheNetworkwithInfrastructureACLs
AniACLisconstructedandappliedinordertospecifyconnectionsfromhostsornetworksthatneedtobeallowedto
networkdevices.CommonexamplesofthesetypesofconnectionsareeBGP,SSH,andSNMP.Aftertherequired
connectionshavebeenpermitted,allothertraffictotheinfrastructureisexplicitlydenied.Alltransittrafficthatcrossesthe
networkandisnotdestinedtoinfrastructuredevicesisthenexplicitlypermitted.Example:
ipaccesslistextendedACLINFRASTRUCTUREIN
!Permitrequiredconnectionsforroutingprotocolsand
networkmanagement
permittcphost<trustedebgppeer>host<localebgpaddress>eq179
permittcphost<trustedebgppeer>eq179host<localebgpaddress>
permittcphost<trustedmanagementstations>anyeq22
permitudphost<trustednetmgmtservers>anyeq161
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany
ICMPPacketFiltering
PermitICMPEcho(ping)fromtrustedmanagementstationsandservers
permiticmphost<trustedmanagementstations>anyecho
permiticmphost<trustednetmgmtservers>anyecho
permitipanyany
FilterIPFragments
ipaccesslistextendedACLFRAGMENTEXAMPLE
permittcpanyhost192.168.1.1eq80
denytcpanyhost192.168.1.1eq22
!DenyIPfragmentsusingprotocolspecificACEstoaidin
!classificationofattacktraffic
denytcpanyanyfragments
denyudpanyanyfragments
denyicmpanyanyfragments
denyipanyanyfragments
permitipanyany
ACLSupporttoFilteronTTLValue
Thegenerationandtransmissionofthesemessagesisanexceptionprocess.Routerscanperformthisfunctionwhenthe
numberofIPpacketsthatareduetoexpireislow,butifthenumberofpacketsduetoexpireishigh,generationand
transmissionofthesemessagescanconsumeallavailableCPUresources.ThispresentsaDoSattackvector.Itisforthis
reasonthatdevicesneedtobehardenedagainstDoSattacksthatutilizeahighrateofIPpacketsthatareduetoexpire.
ItisrecommendedthatorganizationsfilterIPpacketswithlowTTLvaluesattheedgeofthenetwork.Completelyfiltering
packetswithTTLvaluesinsufficienttotraversethenetworkmitigatesthethreatofTTLbasedattacks.
ThisexampleACLfilterspacketswithTTLvalueslessthansix.ThisprovidesprotectionagainstTTLexpiryattacksfor
networksuptofivehopsinwidth.
!DenyIPpacketswithTTLvaluesinsufficienttotraversethenetwork
denyipanyanyttllt6
permitipanyany
SecureInteractiveManagementSessions
ManagementPlaneProtection(MPP)allowsanadministratortorestrictonwhichinterfacesmanagementtrafficcanbe
receivedbyadevice
controlplanehost
managementinterfaceGigabitEthernet0/1allowsshhttps
EncryptManagementSessions
ipdomainnameexample.com
cryptokeygeneratersamodulus2048
ipsshversion2ornot
ipsshtimeout60
ipsshauthenticationretries3
ipsshsourceinterfaceGigabitEthernet0/1
linevty04
transportinputssh
!
ipscpserverenable
!
iphttpsecureserver
ThisexampleconfigurationenablestheuseofRSAkeyswithSSHv2onaCiscoIOSdevice:
!Configureahostnameforthedevice
hostnamerouter
!Configureadomainname
ipdomainnamecisco.com
!SpecifythenameoftheRSAkeypair(inthiscase,sshkeys)touseforSSH
ipsshrsakeypairnamesshkeys
!EnabletheSSHserverforlocalandremoteauthenticationontherouterusing
!thecryptokeygeneratecommand
!ForSSHversion2,themodulussizemustbeatleast768bits
cryptokeygeneratersausagekeyslabelsshkeysmodulus2048
!Configureansshtimeout(inseconds)
!Thefollowingenablesatimeoutof120secondsforSSHconnections
ipsshtimeout120
!Configurealimitoffive(5)authenticationretries
ipsshauthenticationretries5
!ConfigureSSHversion2
ipsshversion2
RefertoSecureShellVersion2EnhancementsforRSAKeysformoreinformationontheuseofRSAkeyswithSSHv2.
ThisexampleconfigurationenablestheCiscoIOSSSHservertoperformRSAbaseduserauthentication.Theuser
authenticationissuccessfuliftheRSApublickeystoredontheserverisverifiedwiththepublicortheprivatekeypair
storedontheclient.
!Configureahostnameforthedevice
hostnamerouter
!Configureadomainname
ipdomainnamecisco.com
!GenerateRSAkeypairsusingamodulusof2048bits
cryptokeygeneratersamodulus2048
!ConfigureSSHRSAkeysforuserandserverauthenticationontheSSHserver
ipsshpubkeychain
!ConfiguretheSSHusername
usernamesshuser
!SpecifytheRSApublickeyoftheremotepeer
!Youmustthenconfigureeitherthekeystringcommand
!(followedbytheRSApublickeyoftheremotepeer)orthe
keyhashcommand(followedbytheSSHkeytypeandversion.)
RefertoConfiguringtheCiscoIOSSSHServertoPerformRSABasedUserAuthenticationformoreinformationontheuse
ofRSAkeyswithSSHv2.
ThisexampleconfigurationenablestheCiscoIOSSSHclienttoperformRSAbasedserverauthentication.
hostnamerouter
ipdomainnamecisco.c
!GenerateRSAkeypairs
cryptokeygeneratersa
!ConfigureSSHRSAkeysforuserandserverauthenticationontheSSHserver
ipsshpubkeychain
!EnabletheSSHserverforpublickeyauthenticationontherouter
serverSSHservername
!SpecifytheRSApublickeyoftheremotepeer
!Youmustthenconfigureeitherthekeystringcommand
!(followedbytheRSApublickeyoftheremotepeer)orthe
keyhash<keytype><keyname>command(followedbytheSSHkey
!typeandversion.)
!EnsurethatserverauthenticationtakesplaceTheconnectionwillbe
!terminatedonafailure
ipsshstricthostkeycheck
ConsoleandAUXPorts
lineaux0
transportinputnoneortransportinputssh.
transportoutputnoneortransportoutputssh.
noexec
exectimeout01
nopassword
(transportinputoraccessclassconfiguration)IPSeccanbeusedforencryptedandsecureremoteaccessconnections
toadevice,ifsupported.IfyouuseIPSec,italsoaddsadditionalCPUoverheadtothedevice.However,SSHmuststillbe
enforcedasthetransportevenwhenIPSecisused.
WarningBanners
Noticethatthesystemistobeloggedintoorusedonlybyspecificallyauthorizedpersonnelandperhapsinformationabout
whocanauthorizeuse.
Noticethatanyunauthorizeduseofthesystemisunlawfulandcanbesubjecttocivilandcriminalpenalties.
Noticethatanyuseofthesystemcanbeloggedormonitoredwithoutfurthernoticeandthattheresultinglogscanbeused
asevidenceincourt.
Specificnoticesrequiredbylocallaws
Authentication,Authorization,andAccounting
aaanewmodel
aaaauthenticationlogindefaultgrouptacacs+
tacacsserverhost<ipaddressoftacacsserver>
tacacsserverkey<key>
AuthenticationFallback(ifAAAbecomeunavailable)
enablesecret<password>
UseofType7Passwords
DONTUSEIT
TACACS+CommandAuthorization(Example)
aaaauthorizationexecdefaultgrouptacacsnone
aaaauthorizationcommands0defaultgrouptacacsnone
or
aaaaccountingexecdefaultstartstopgrouptacacs
aaaaccountingcommands0defaultstartstopgrouptacacs
RedundantAAAServers
AvailabilityofAAAserversduringpotentialnetworkfailures
GeographicallydispersedplacementofAAAservers
LoadonindividualAAAserversinsteadystateandfailureconditions
NetworklatencybetweenNetworkAccessServersandAAAservers
AAAserverdatabasessynchronization
FortifytheSimpleNetworkManagementProtocol
ItiscriticalthatSNMPbeproperlysecuredinordertoprotecttheconfidentiality,integrity,andavailabilityofboththe
networkdataandthenetworkdevicesthroughwhichthisdatatransits.SNMPprovidesyouwithawealthofinformationon
thehealthofnetworkdevices.Thisinformationshouldbeprotectedfrommalicioususersthatwanttoleveragethisdatain
ordertoperformattacksagainstthenetwork.
SNMPCommunityStrings
snmpservercommunityREADONLYRO
snmpservercommunityREADWRITERW
SNMPCommunityStringswithACLs
accesslist98permit192.168.100.00.0.0.255
accesslist99permit192.168.100.1
snmpservercommunityREADONLYRO98
snmpservercommunityREADWRITERW99
SNMPViews
SNMPViewsareasecurityfeaturethatcanpermitordenyaccesstocertainSNMPMIBs(ManagementInformationBase
)
snmpserverviewVIEWSYSTEMONLYsysteminclude
snmpservercommunityLIMITEDviewVIEWSYSTEMONLYRO
SNMPVersion3
noauthThismodedoesnotrequireanyauthenticationnoranyencryptionofSNMPpackets
authThismoderequiresauthenticationoftheSNMPpacketwithoutencryption
privThismoderequiresbothauthenticationandencryption(privacy)ofeachSNMPpacket
AnauthoritativeengineIDmustexistinordertousetheSNMPv3securitymechanisms
#showsnmpengineID
Note:IftheengineIDischanged,allSNMPuseraccountsmustbereconfigured.
ThenextstepistoconfigureanSNMPv3group
snmpservergroupAUTHGROUPv3auth
ThiscommandconfiguresaCiscoIOSdeviceforSNMPv3withanSNMPservergroupPRIVGROUPandenablesboth
authenticationandencryptionforthisgroupwiththeprivkeyword
snmpservergroupPRIVGROUPv3priv
ThiscommandconfiguresanSNMPv3usersnmpv3userwithanMD5authenticationpasswordofauthpasswordanda
3DESencryptionpasswordofprivpassword
snmpserverusersnmpv3userPRIVGROUPv3authmd5authpasswordpriv3des
privpassword
ThiscommandconfiguresanSNMPv3usersnmpv3userwithanMD5authenticationpasswordofauthpasswordanda
3DESencryptionpasswordofprivpassword
ManagementPlaneProtection(MPP)
controlplanehost
managementinterfaceFastEthernet0/0allow(options)
LoggingBestPractices
SendLogstoaCentralLocation
logginghost<ipaddress>
OronaNonVolativeDisk
loggingbuffered
loggingpersistenturldisk0:/syslogsize134217728filesize16384
LoggingLevel(07)
Theglobalconfigurationcommandloggingtraplevelisusedinordertospecifywhichloggingmessagesaresentto
remotesyslogservers.Thelevelspecifiedindicatesthelowestseveritymessagethatissent.Forbufferedlogging,
theloggingbufferedlevelcommandisused.
loggingtrap6
loggingbuffered6
DoNotLogtoConsoleorMonitorSessions
nologgingconsole
nologgingmonitor
UseBufferedLogging
loggingbuffered163846
ConfigureLoggingSourceInterface
loggingsourceinterfaceLoopback0
ConfigureLoggingTimestamps
servicetimestampslogdatetimemsecshowtimezone
clocktimezonePST8
servicetimestampslogdatetimemseclocaltimeshowtimezone
ConfigurationReplaceandConfigurationRollback
archive
pathdisk0:archivedconfig
maximum14
timeperiod1440
writememory
ExclusiveConfigurationChangeAccess
configurationmodeexclusiveauto
CiscoIOSSoftwareResilientConfiguration
securebootimage
securebootconfig!
ConfigurationChangeNotificationandLogging
archive
logconfig
loggingenable
loggingsize200
hidekeys
notifysyslog
ControlPlane
Controlplanefunctionsconsistoftheprotocolsandprocessesthatcommunicatebetweennetworkdevicesinorderto
movedatafromsourcetodestination.ThisincludesroutingprotocolssuchastheBorderGatewayProtocol,aswellas
protocolslikeICMPandtheResourceReservationProtocol(RSVP).youcandisablethereceptionandtransmissionof
certaintypesofmessagesonaninterfaceinordertominimizetheamountofCPUloadthatisrequiredtoprocess
unneededpackets
IPICMPRedirects
noipredirects
ICMPUnreachables
noipunreachables
ipicmpratelimitunreachable
ProxyARP
noipproxyarp
LimitCPUImpactofControlPlaneTraffic
InorderproperlyprotectthecontrolplaneoftheCiscoIOSdevice,itisessentialtounderstandthetypesoftrafficthatis
processswitchedbytheCPU.Processswitchedtrafficnormallyconsistsoftwodifferenttypesoftraffic.Thefirsttypeof
trafficisdirectedtotheCiscoIOSdeviceandmustbehandleddirectlybytheCiscoIOSdeviceCPU.Thistrafficconsists
ofthiscategory:
Receiveadjacencytraffic(showipcef)
AccessControlListlogging
UnicastReversePathForwarding(UnicastRPF)
IPOptions
Fragmentation
Timetolive(TTL)Expiry
ICMPUnreachables
TrafficRequiringanARPRequest
NonIPTraffic
ControlPlanePolicing
DroppingtrafficfromunknownoruntrustedIPaddressescanpreventhostswithdynamicallyassignedIPaddressesfrom
connectingtotheCiscoIOSdevice
ControlPlaneProtection
PortfilteringfeatureThisfeatureprovidesforpolicinganddroppingofpacketsthataresenttoclosedornonlistening
TCPorUDPports.
QueuethresholdingfeatureThisfeaturelimitsthenumberofpacketsforaspecifiedprotocolthatareallowedinthe
controlplaneIPinputqueue.
SecureBGP
TheBorderGatewayProtocol(BGP)istheroutingfoundationoftheInternet.Assuch,anyorganizationwithmorethan
modestconnectivityrequirementsoftenusesBGP.BGPisoftentargetedbyattackersbecauseofitsubiquityandthe?set
andforget?natureofBGPconfigurationsinsmallerorganizations.However,therearemanyBGPspecificsecurityfeatures
thatcanbeleveragedtoincreasethesecurityofaBGPconfiguration.
TTLbasedSecurityProtections
Thisfeatureoftenrequirescoordinationfrompeeringroutershowever,onceenabled,itcancompletelydefeatmanyTCP
basedattacksagainstBGP
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>ttlsecurityhops<hopcount>
BGPPeerAuthenticationwithMD5
routerbgp<asn>
neighbor<ipaddress>password<secret>
ConfigureMaximumPrefixes
routerbgp<asn>
neighbor<ipaddress>maximumprefix<shutdownthreshold><logpercent>
FilterBGPPrefixeswithPrefixLists
PrefixlistsallowanetworkadministratortopermitordenyspecificprefixesthataresentorreceivedviaBGP.Prefixlists
shouldbeusedwherepossibleinordertoensurenetworktrafficissentovertheintendedpaths.Prefixlistsshouldbe
appliedtoeacheBGPpeerinboththeinboundandoutbounddirections
ipprefixlistBGPPLINBOUNDseq5permit0.0.0.0/0
ipprefixlistBGPPLOUTBOUNDseq5permit192.168.2.0/24
routerbgp<asn>
neighbor<ipaddress>prefixlistBGPPLINBOUNDin
neighbor<ipaddress>prefixlistBGPPLOUTBOUNDout
FilterBGPPrefixeswithAutonomousSystemPathAccessLists
ipaspathaccesslist1permit^65501$
ipaspathaccesslist2permit^$
routerbgp<asn>
neighbor<ipaddress>remoteas65501
neighbor<ipaddress>filterlist1in
neighbor<ipaddress>filterlist2out
SecureInteriorGatewayProtocols
RoutingProtocolAuthenticationandVerificationwithMessageDigest5
ThisisanexampleconfigurationforEIGRProuterauthenticationusingMD5:
keychain<keyname>
key<keyidentifier>
keystring<password>
interface<interface>
ipauthenticationmodeeigrp<asnumber>md5
ipauthenticationkeychaineigrp<asnumber><keyname>
ThisisanexampleMD5routerauthenticationconfigurationforRIPv2.RIPv1doesnotsupportauthentication.
keychain<keyname>
key<keyidentifier>
keystring<password>
ipripauthenticationmodemd5
ipripauthenticationkeychain<keyname>
ThisisanexampleconfigurationforOSPFrouterauthenticationusingMD5.OSPFdoesnotutilizeKeyChains.
ipospfmessagedigestkey<keyid>md5<password>
routerospf<processid>
network10.0.0.00.255.255.255area0
area0authenticationmessagedigest
PassiveInterfaceCommands
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>
RouteFiltering
EIGRPandRIP,usageofthedistributelistcommandwiththeoutkeywordlimitswhatinformationisadvertised,while
usageoftheinkeywordlimitswhatupdatesareprocessed.ThedistributelistcommandisavailableforOSPF,butitdoes
notpreventarouterfrompropagatingfilteredroutes.Instead,theareafilterlistcommandcanbeused.
ThisEIGRPexamplefiltersoutboundadvertisementswiththedistributelistcommandandaprefixlist:
ipprefixlist<listname>seq10permit<prefix>
distributelistprefix<listname>out<interface>
ThisEIGRPexamplefiltersinboundupdateswithaprefixlist:
distributelistprefix<listname>in<interface>
ThisOSPFexampleusesaprefixlistwiththeOSPFspecificareafilterlistcommand:
area<areaid>filterlistprefix<listname>in
RoutingProcessResourceConsumption
RoutingProtocolprefixesarestoredbyarouterinmemory,andresourceconsumptionincreaseswithadditionalprefixes
thataroutermusthold.Inordertopreventresourceexhaustion,itisimportanttoconfiguretheroutingprotocoltolimit
resourceconsumption.ThisispossiblewithOSPFifyouusetheLinkStateDatabaseOverloadProtectionfeature
maxlsa<maximumnumber>
SecureFirstHopRedundancyProtocols
TheGatewayLoadBalancingProtocol(GLBP),HotStandbyRouterProtocol(HSRP),andVirtualRouterRedundancy
Protocol(VRRP)areallFHRPs.Bydefault,theseprotocolscommunicatewithunauthenticatedcommunications.Inorderto
preventthistypeofattack,allFHRPsthataresupportedbyCiscoIOSsoftwareincludeanauthenticationcapabilitywith
eitherMD5ortextstrings.BecauseofthethreatposedbyunauthenticatedFHRPs,itisrecommendedthatinstancesof
theseprotocolsuseMD5authentication
interfaceFastEthernet1
description***GLBPAuthentication***
glbp1authenticationmd5keystring<glbpsecret>
glbp1ip10.1.1.1
description***HSRPAuthentication***
standby1authenticationmd5keystring<hsrpsecret>
standby1ip10.2.2.1
description***VRRPAuthentication***
vrrp1authenticationmd5keystring<vrrpsecret>
vrrp1ip10.3.3.1
DataPlane
Althoughthedataplaneisresponsibleformovingdatafromsourcetodestination,withinthecontextofsecurity,thedata
planeistheleastimportantofthethreeplanes.Itisforthisreasonthatitisimportanttoprotectthemanagementand
controlplanesinpreferenceoverthedataplanewhenyousecureanetworkdevice
IPOptionsSelectiveDrop
TherearetwosecurityconcernspresentedbyIPoptions.TrafficthatcontainsIPoptionsmustbeprocessswitchedby
CiscoIOSdevices,whichcanleadtoelevatedCPUload.IPoptionsalsoincludethefunctionalitytoalterthepaththat
traffictakesthroughthenetwork,whichpotentiallyallowsittosubvertsecuritycontrols
ipoptions{drop|ignore}
DisableIPSourceRouting
IfIPoptionshavenotbeencompletelydisabledviatheIPOptionsSelectiveDropfeature,itisimportantthatIPsource
routingisdisabled.
noipsourceroute
DisableICMPRedirects
noipredirects
DisableorLimitIPDirectedBroadcasts
Ifanetworkabsolutelyrequiresdirectedbroadcastfunctionality,itsuseshouldbecontrolled.Thisispossiblewiththeuse
ofanaccesscontrollistasanoptiontotheipdirectedbroadcastcommand
accesslist100permitudp192.168.1.00.0.0.255any
ipdirectedbroadcast100
FilterTransitTrafficwithTransitACLs
ItispossibletocontrolwhattraffictransitsthenetworkwiththeuseoftransitACLs(tACLs).Thisisincontrastto
infrastructureACLsthatseektofiltertrafficthatisdestinedtothenetworkitself.ThefilteringprovidedbytACLsis
beneficialwhenitisdesirabletofiltertraffictoaparticulargroupofdevicesortrafficthattransitsthenetwork
ICMPPacketFiltering
ipaccesslistextendedACLTRANSITIN
!PermitICMPpacketsfromtrustednetworksonly
permiticmphost<trustednetworks>any
denyicmpanyany
FilterIPFragments
!DenyIPfragmentsusingprotocolspecificACEstoaidin
!classificationofattacktraffic
denytcpanyanyfragments
denyudpanyanyfragments
denyicmpanyanyfragments
denyipanyanyfragments
ACLSupportforFilteringIPOptions
!DenyIPpacketscontainingIPoptions
denyipanyanyoptionanyoptions
AntiSpoofingProtections
ManyattacksusesourceIPaddressspoofingtobeeffectiveortoconcealthetruesourceofanattackandhinderaccurate
traceback.CiscoIOSsoftwareprovidesUnicastRPFandIPSourceGuard(IPSG)inordertodeterattacksthatrelyon
sourceIPaddressspoofing.Inaddition,ACLsandnullroutingareoftendeployedasamanualmeansofspoofing
prevention.
UnicastRPF
UnicastRPFenablesadevicetoverifythatthesourceaddressofaforwardedpacketcanbereachedthroughtheinterface
thatreceivedthepacket.YoumustnotrelyonUnicastRPFastheonlyprotectionagainstspoofing.Spoofedpacketscould
enterthenetworkthroughaUnicastRPFenabledinterfaceifanappropriatereturnroutetothesourceIPaddressexists.
UnicastRPFreliesonyoutoenableCiscoExpressForwardingoneachdeviceandisconfiguredonaperinterfacebasis
ipcef
ipverifyunicastsourcereachablevia<mode>
IPSourceGuard
IPSourceGuardisaneffectivemeansofspoofingpreventionthatcanbeusedifyouhavecontroloverLayer2interfaces.
IPSourceGuardusesinformationfromDHCPsnoopingtodynamicallyconfigureaportaccesscontrollist(PACL)onthe
Layer2interface,denyinganytrafficfromIPaddressesthatarenotassociatedintheIPsourcebindingtable.
ipdhcpsnooping
ipdhcpsnoopingvlan<vlanrange>
afterDHCPsnoopingisenabled,thesecommandsenableIPSG:
interface<interfaceid>
ipverifysource
PortSecurity
Portsecuritycanbeenabledwiththeipverifysourceportsecurityinterfaceconfigurationcommand.Thisrequiresthe
globalconfigurationcommandipdhcpsnoopinginformationoptionadditionally,theDHCPservermustsupportDHCP
option82.
switchport
switchportmodeaccess
switchportportsecurity
switchportportsecuritymacaddresssticky
switchportportsecuritymaximum<number>
switchportportsecurityviolation<violationmode>
DynamicARPInspection
DynamicARPInspection(DAI)canbeusedinordertomitigateARPpoisoningattacksonlocalsegments.AnARP
poisoningattackisamethodinwhichanattackersendsfalsifiedARPinformationtoalocalsegment.Thisinformationis
designedinordertocorrupttheARPcacheofotherdevices.OftenanattackerusesARPpoisoninginordertoperforma
maninthemiddleattack.
ipdhcpsnooping
ipdhcpsnoopingvlan<vlanrange>
OnceDHCPsnoopinghasbeenenabled,thesecommandsenableDAI:
iparpinspectionvlan<vlanrange>
InnonDHCPenvironments,ARPACLsarerequiredtoenableDAI.Thisexampledemonstratesthebasic
configurationofDAIwithARPACLs:
arpaccesslist<aclname>
permitiphost<senderip>machost<sendermac>
iparpinspectionfilter<arpaclname>vlan<vlanrange>
AntiSpoofingACLs
ManuallyconfiguredACLscanprovidestaticantispoofingprotectionagainstattacksthatuseknownunusedanduntrusted
addressspace.Commonly,theseantispoofingACLsareappliedtoingresstrafficatnetworkboundariesasacomponentof
alargerACL.AntispoofingACLsrequireregularmonitoringbecausetheycanfrequentlychange.Spoofingcanbe
minimizedintrafficthatoriginatesfromthelocalnetworkifyouapplyoutboundACLsthatlimitthetraffictovalidlocal
addresses.
LimitCPUImpactofDataPlaneTraffic
Theprimarypurposeofroutersandswitchesistoforwardpacketsandframesthroughthedeviceonwardtofinal
destinations.Thesepackets,whichtransitthedevicesdeployedthroughoutthenetwork,canimpactCPUoperationsofa
device.Thedataplane,whichconsistsoftrafficthattransitsthenetworkdevice,shouldbesecuredtoensuretheoperation
ofthemanagementandcontrolplanes.Iftransittrafficcancauseadevicetoprocessswitchtraffic,thecontrolplaneofa
devicecanbeaffectedwhichmayleadtoanoperationaldisruption
TrafficIdentificationandTraceback
Attimes,youcanneedtoquicklyidentifyandtracebacknetworktraffic,especiallyduringincidentresponseorpoornetwork
performance.NetFlowandClassificationACLsarethetwoprimarymethodstoaccomplishthiswithCiscoIOSsoftware.
NetFlowcanprovidevisibilityintoalltrafficonthenetwork.Additionally,NetFlowcanbeimplementedwithcollectorsthat
canprovidelongtermtrendingandautomatedanalysis.ClassificationACLsareacomponentofACLsandrequirepre
planningtoidentifyspecifictrafficandmanualinterventionduringanalysis.Thesesectionsprovideabriefoverviewofeach
feature
NetFlow
CEF,ordistributedCEF,isaprerequisitetoenablingNetFlow.NetFlowcanbeconfiguredonroutersandswitches
ipflowexportdestination<ipaddress><udpport>
ipflowexportversion<version>
ipflow<ingess|egress>
ClassificationACLs
AnadministratorcanexpediteanincidentresponsebyusingclassificationACLswiththeshowaccesslistandclearip
accesslistcountersEXECcommands
ipaccesslistextendedACLSMBCLASSIFY
remarkExistingcontentsofACL
remarkClassificationofSMBspecificTCPtraffic
denytcpanyanyeq139
denytcpanyanyeq445
denyipanyany
showaccesslistACLSMBCLASSIFY
AccessControlwithVLANMapsandPortAccessControlLists
VACLs,orVLANmapsthatapplytoallpacketsthatentertheVLAN,providethecapabilitytoenforceaccesscontrolon
intraVLANtraffic.ThisisnotpossiblewithACLsonroutedinterfaces.Forexample,aVLANmapmightbeusedinorderto
preventhoststhatarecontainedwithinthesameVLANfromcommunicationwitheachother,whichreducesopportunities
forlocalattackersorwormstoexploitahostonthesamenetworksegment.InordertodenypacketsfromusingaVLAN
map,youcancreateanaccesscontrollist(ACL)thatmatchesthetrafficand,intheVLANmap,settheactiontodrop.
OnceaVLANmapisconfigured,allpacketsthatentertheLANaresequentiallyevaluatedagainsttheconfiguredVLAN
map.VLANaccessmapssupportIPv4andMACaccesslistshowever,theydonotsupportloggingorIPv6ACLs.
ipaccesslistextended<aclname>
permit<protocol><sourceaddress><sourceport><destinationaddress>
<destinationport>
vlanaccessmap<name><number>
matchipaddress<aclname>
action<drop|forward>
ThisexampledemonstratestheuseofaVLANmapinordertodenyTCPports139and445aswellasthevinesip
protocol:
ipaccesslistextendedVACLMATCHANY
permitipanyany
ipaccesslistextendedVACLMATCHPORTS
permittcp192.168.1.00.0.0.255192.168.1.00.0.0.255eq445
permittcp192.168.1.00.0.0.255192.168.1.00.0.0.255eq139
macaccesslistextendedVACLMATCHVINES
permitanyanyvinesip
vlanaccessmapVACL10
matchipaddressVACLMATCHVINES
actiondrop
vlanaccessmapVACL20
matchipaddressVACLMATCHPORTS
actiondrop
vlanaccessmapVACL30
matchipaddressVACLMATCHANY
actionforward
vlanfilterVACLvlan100
AccessControlwithPACLs(PortsACL)
ipaccesslistextended<aclname>
permit<protocol><sourceaddress><sourceport><destinationaddress>
<destinationport>
interface<type><slot/port>
switchportmodeaccess
switchportaccessvlan<vlan_number>
ipaccessgroup<aclname>in
AccessControlwithMAC
Cat6KIOS(configif)#macpacketclassify
PrivateVLANUse
PrivateVLANs(PVLANs)areaLayer2securityfeaturethatlimitsconnectivitybetweenworkstationsorserverswithina
VLAN.WithoutPVLANs,alldevicesonaLayer2VLANcancommunicatefreely.Networkingsituationsexistwhere
securitycanbeaidedbylimitingcommunicationbetweendevicesonasingleVLAN.Forexample,PVLANsareoftenused
inordertoprohibitcommunicationbetweenserversinapubliclyaccessiblesubnet.Shouldasingleserverbecome
compromised,thelackofconnectivitytootherserversduetotheapplicationofPVLANsmighthelplimitthecompromiseto
theoneserver.
TherearethreetypesofPrivateVLANs:isolatedVLANs,communityVLANs,andprimaryVLANs.Theconfigurationof
PVLANsmakesuseofprimaryandsecondaryVLANs.TheprimaryVLANcontainsallpromiscuousports,whichare
describedlater,andincludesoneormoresecondaryVLANs,whichcanbeeitherisolatedorcommunityVLANs.
vlan11
privatevlanisolated
vlan20
privatevlanprimary
privatevlanassociation11
interfaceFastEthernet1/1
description***PortinIsolatedVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2011
CommunityVLANs
vlan12
privatevlancommunity
vlan20
privatevlanprimary
description***PortinCommunityVLAN***
PromiscuousPorts
SwitchportsthatareplacedintotheprimaryVLANareknownaspromiscuousports.Promiscuousportscancommunicate
withallotherportsintheprimaryandsecondaryVLANs.Routerorfirewallinterfacesarethemostcommondevicesfound
ontheseVLANs.
vlan11
privatevlanisolated
vlan12
privatevlancommunity
vlan20
privatevlanprimary
description***PortinIsolatedVLAN***
description***PortinCommunityVLAN***
description***PromiscuousPort***
switchportmodeprivatevlanpromiscuous
switchportprivatevlanmapping20add1112
WhenyouimplementPVLANs,itisimportanttoensurethattheLayer3configurationinplacesupportstherestrictionsthat
areimposedbyPVLANsanddoesnotallowforthePVLANconfigurationtobesubverted.Layer3filteringwithaRouter
ACLorfirewallcanpreventthesubversionofthePVLANconfiguration
Previouspost Nextpost

Cisco IOS Devices Best Practices - Patrick Denis

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cisco IOS Devices Best Practices - Patrick Denis

Diunggah oleh

Hak Cipta:

Format Tersedia

31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

Anda mungkin juga menyukai