CiscoIOSDevicesBestPractices
l admin } September28,2015 v 0Comments
m Cisco,RoutingandSwitching,Security
Thischecklistisacollectionofallthehardeningstepsthatarepresentedinthisguide.Administratorscanuseitasa
reminderofallthehardeningfeaturesusedandconsideredforaCiscoIOSdevice,evenifafeaturewasnotimplemented
becauseitdidnotapply.Administratorsareadvisedtoevaluateeachoptionforitspotentialriskbeforetheyimplementthe
option.
ManagementPlane
Passwords
EnableMD5hashing(secretoption)forenableandlocaluserpasswords
Configurethepasswordretrylockout
Disablepasswordrecovery(considerrisk)
Disableunusedservices
ConfigureTCPkeepalivesformanagementsessions
SetmemoryandCPUthresholdnotifications
Configure
MemoryandCPUthresholdnotifications
Reservememoryforconsoleaccess
Memoryleakdetector
Bufferoverflowdetection
Enhancedcrashinfocollection
UseiACLstorestrictmanagementaccess
Filter(considerrisk)
ICMPpackets
IPfragments
IPoptions
TTLvalueinpackets
ControlPlaneProtection
Configureportfiltering
Configurequeuethresholds
Managementaccess
UseManagementPlaneProtectiontorestrictmanagementinterfaces
Setexectimeout
Useanencryptedtransportprotocol(suchasSSH)forCLIaccess
Controltransportforvtyandttylines(accessclassoption)
Warnusingbanners
AAA
UseAAAforauthenticationandfallback
UseAAA(TACACS+)forcommandauthorization
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 1/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
UseAAAforaccounting
UseredundantAAAservers
SNMP
ConfigureSNMPv2communitiesandapplyACLs
ConfigureSNMPv3
Logging
Configurecentralizedlogging
Setlogginglevelsforallrelevantcomponents
Setloggingsourceinterface
Configureloggingtimestampgranularity
ConfigurationManagement
Replaceandrollback
ExclusiveConfigurationChangeAccess
Softwareresilienceconfiguration
Configurationchangenotifications
ControlPlane
Disable(considerrisk)
ICMPredirects
ICMPunreachables
ProxyARP
ConfigureNTPauthenticationifNTPisbeingused
ConfigureControlPlanePolicing/Protection(portfiltering,queuethresholds)
Secureroutingprotocols
BGP(TTL,MD5,maximumprefixes,prefixlists,systempathACLs)
IGP(MD5,passiveinterface,routefiltering,resourceconsumption)
Configurehardwareratelimiters
SecureFirstHopRedundancyProtocols(GLBP,HSRP,VRRP)
DataPlane
ConfigureIPOptionsSelectiveDrop
Disable(considerrisk)
IPsourcerouting
IPDirectedBroadcasts
ICMPredirects
LimitIPDirectedBroadcasts
ConfiguretACLs(considerrisk)
FilterICMP
FilterIPfragments
FilterIPoptions
FilterTTLvalues
Configurerequiredantispoofingprotections
ACLs
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 2/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
IPSourceGuard
DynamicARPInspection
UnicastRPF
Portsecurity
ControlPlaneProtection(controlplanecefexception)
ConfigureNetFlowandclassificationACLsfortrafficidentification
ConfigurerequiredaccesscontrolACLs(VLANmaps,PACLs,MAC)
ConfigurePrivateVLANs
Thethreefunctionalplanesofanetworkthemanagementplane,controlplane,anddataplaneeachprovidedifferent
functionalitythatneedstobeprotected.
ManagementPlaneThemanagementplanemanagestrafficthatissenttotheCiscoIOSdeviceandismadeupof
applicationsandprotocolssuchasSecureShell(SSH)andSimpleNetworkManagementProtocol(SNMP).
ControlPlaneThecontrolplaneofanetworkdeviceprocessesthetrafficthatisparamounttomaintainthe
functionalityofthenetworkinfrastructure.Thecontrolplaneconsistsofapplicationsandprotocolsbetweennetwork
devices,whichincludestheBorderGatewayProtocol(BGP),aswellastheInteriorGatewayProtocols(IGPs)suchas
theEnhancedInteriorGatewayRoutingProtocol(EIGRP)andOpenShortestPathFirst(OSPF).
DataPlaneThedataplaneforwardsdatathroughanetworkdevice.Thedataplanedoesnotincludetrafficthatissent
tothelocalCiscoIOSdevice.
ManagementPlane
listofprotocolsisusedbythemanagementplane:
SimpleNetworkManagementProtocol
Telnet
SecureShellProtocol
FileTransferProtocol
TrivialFileTransferProtocol
SecureCopyProtocol
TACACS+
RADIUS
NetFlow
NetworkTimeProtocol
Syslog
PasswordManagement
Theenablesecretcommandmustbeused,ratherthantheolderenablepasswordcommand
TheservicepasswordencryptionglobalconfigurationcommanddirectstheCiscoIOSsoftwaretoencryptthepasswords,
EnhancedPasswordSecurity
WiththeUsernamesecretcommand
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 3/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
LoginPasswordRetryLockout
aaanewmodel
aaalocalauthenticationattemptsmaxfail<maxattempts>
aaaauthenticationlogindefaultlocal
username<name>secret<password>
NoServicePasswordRecovery
theNoServicePasswordRecoveryfeaturedoesnotallowanyonewithconsoleaccesstoinsecurelyaccessthedevice
configurationandclearthepassword.Italsodoesnotallowmalicioususerstochangetheconfigurationregistervalueand
accessNVRAM.
noservicepasswordrecovery
DisableUnusedServices
Asasecuritybestpractice,anyunnecessaryservicemustbedisabled
noipfinger
noipbootpserver
ipdhcpbootpignore(disableBOOTP)
noservicedhcp
nomopenabled(disabletheMaintenanceOperationProtocol(MOP)service)
noipdomainlookup
noservicepad(PacketAssembler/Disassembler(PAD)service,whichisusedforX.25networks.)
noiphttpserver
noiphttpsecureserver
nocdpenable(interface)ornocdprun(global)
nolldptransmitandnolldpreceive(interface)ornolldprun(global)
EXECTimeout
linecon0
exectimeout<minutes>[seconds]
linevty04
exectimeout<minutes>[seconds]
KeepalivesforTCPSessions
servicetcpkeepalivesin
servicetcpkeepalivesout
ManagementInterfaceUse
Oneofthemostcommoninterfacesthatisusedforinbandaccesstoadeviceisthelogicalloopbackinterface.Loopback
interfacesarealwaysup,whereasphysicalinterfacescanchangestate,andtheinterfacecanpotentiallynotbeaccessible.
Itisrecommendedtoaddaloopbackinterfacetoeachdeviceasamanagementinterfaceandthatitbeusedexclusively
forthemanagementplane
Oncetheloopbackinterfaceisconfiguredonadevice,itcanbeusedbymanagementplaneprotocols,suchasSSH,
SNMP,andsyslog,inordertosendandreceivetraffic
interfaceLoopback0
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 4/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
ipaddress192.168.1.1255.255.255.0
MemoryThresholdNotifications
memoryfreelowwatermarkprocessor<threshold>
memoryfreelowwatermarkio<threshold>
memoryreservecritical<value>
CPUThresholdingNotification
snmpserverenabletrapscputhreshold
snmpserverhost<hostaddress><communitystring>cpu
processcputhresholdtype<type>rising<percentage>interval<seconds>
[falling<percentage>interval<seconds>]
processcpustatisticslimitentrypercentage<number>[size<seconds>]
ReserveMemoryforConsoleAccess
memoryreserveconsole4096
MemoryLeakDetector
showmemorydebugleaks
BufferOverflow:DetectionandCorrectionofRedzoneCorruption
exceptionmemoryignoreoverflowio
exceptionmemoryignoreoverflowprocessor
Onceconfigured,theshowmemoryoverflowcommand
NetworkTimeProtocol
NTPTimeZone
NTPAuthentication
LimitAccesstotheNetworkwithInfrastructureACLs
AniACLisconstructedandappliedinordertospecifyconnectionsfromhostsornetworksthatneedtobeallowedto
networkdevices.CommonexamplesofthesetypesofconnectionsareeBGP,SSH,andSNMP.Aftertherequired
connectionshavebeenpermitted,allothertraffictotheinfrastructureisexplicitlydenied.Alltransittrafficthatcrossesthe
networkandisnotdestinedtoinfrastructuredevicesisthenexplicitlypermitted.Example:
ipaccesslistextendedACLINFRASTRUCTUREIN
!Permitrequiredconnectionsforroutingprotocolsand
networkmanagement
permittcphost<trustedebgppeer>host<localebgpaddress>eq179
permittcphost<trustedebgppeer>eq179host<localebgpaddress>
permittcphost<trustedmanagementstations>anyeq22
permitudphost<trustednetmgmtservers>anyeq161
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 5/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
!Permittransittraffic
permitipanyany
ICMPPacketFiltering
ipaccesslistextendedACLINFRASTRUCTUREIN
PermitICMPEcho(ping)fromtrustedmanagementstationsandservers
permiticmphost<trustedmanagementstations>anyecho
permiticmphost<trustednetmgmtservers>anyecho
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany
FilterIPFragments
ipaccesslistextendedACLFRAGMENTEXAMPLE
permittcpanyhost192.168.1.1eq80
denytcpanyhost192.168.1.1eq22
ipaccesslistextendedACLINFRASTRUCTUREIN
!DenyIPfragmentsusingprotocolspecificACEstoaidin
!classificationofattacktraffic
denytcpanyanyfragments
denyudpanyanyfragments
denyicmpanyanyfragments
denyipanyanyfragments
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany
ACLSupporttoFilteronTTLValue
Thegenerationandtransmissionofthesemessagesisanexceptionprocess.Routerscanperformthisfunctionwhenthe
numberofIPpacketsthatareduetoexpireislow,butifthenumberofpacketsduetoexpireishigh,generationand
transmissionofthesemessagescanconsumeallavailableCPUresources.ThispresentsaDoSattackvector.Itisforthis
reasonthatdevicesneedtobehardenedagainstDoSattacksthatutilizeahighrateofIPpacketsthatareduetoexpire.
ItisrecommendedthatorganizationsfilterIPpacketswithlowTTLvaluesattheedgeofthenetwork.Completelyfiltering
packetswithTTLvaluesinsufficienttotraversethenetworkmitigatesthethreatofTTLbasedattacks.
ThisexampleACLfilterspacketswithTTLvalueslessthansix.ThisprovidesprotectionagainstTTLexpiryattacksfor
networksuptofivehopsinwidth.
ipaccesslistextendedACLINFRASTRUCTUREIN
!DenyIPpacketswithTTLvaluesinsufficienttotraversethenetwork
denyipanyanyttllt6
!DenyallotherIPtraffictoanynetworkdevice
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 6/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany
SecureInteractiveManagementSessions
ManagementPlaneProtection(MPP)allowsanadministratortorestrictonwhichinterfacesmanagementtrafficcanbe
receivedbyadevice
controlplanehost
managementinterfaceGigabitEthernet0/1allowsshhttps
EncryptManagementSessions
ipdomainnameexample.com
cryptokeygeneratersamodulus2048
ipsshversion2ornot
ipsshtimeout60
ipsshauthenticationretries3
ipsshsourceinterfaceGigabitEthernet0/1
linevty04
transportinputssh
!
ipscpserverenable
!
iphttpsecureserver
ThisexampleconfigurationenablestheuseofRSAkeyswithSSHv2onaCiscoIOSdevice:
!Configureahostnameforthedevice
hostnamerouter
!Configureadomainname
ipdomainnamecisco.com
!SpecifythenameoftheRSAkeypair(inthiscase,sshkeys)touseforSSH
ipsshrsakeypairnamesshkeys
!EnabletheSSHserverforlocalandremoteauthenticationontherouterusing
!thecryptokeygeneratecommand
!ForSSHversion2,themodulussizemustbeatleast768bits
cryptokeygeneratersausagekeyslabelsshkeysmodulus2048
!Configureansshtimeout(inseconds)
!Thefollowingenablesatimeoutof120secondsforSSHconnections
ipsshtimeout120
!Configurealimitoffive(5)authenticationretries
ipsshauthenticationretries5
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 7/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
!ConfigureSSHversion2
ipsshversion2
RefertoSecureShellVersion2EnhancementsforRSAKeysformoreinformationontheuseofRSAkeyswithSSHv2.
ThisexampleconfigurationenablestheCiscoIOSSSHservertoperformRSAbaseduserauthentication.Theuser
authenticationissuccessfuliftheRSApublickeystoredontheserverisverifiedwiththepublicortheprivatekeypair
storedontheclient.
!Configureahostnameforthedevice
hostnamerouter
!Configureadomainname
ipdomainnamecisco.com
!GenerateRSAkeypairsusingamodulusof2048bits
cryptokeygeneratersamodulus2048
!ConfigureSSHRSAkeysforuserandserverauthenticationontheSSHserver
ipsshpubkeychain
!ConfiguretheSSHusername
usernamesshuser
!SpecifytheRSApublickeyoftheremotepeer
!Youmustthenconfigureeitherthekeystringcommand
!(followedbytheRSApublickeyoftheremotepeer)orthe
keyhashcommand(followedbytheSSHkeytypeandversion.)
RefertoConfiguringtheCiscoIOSSSHServertoPerformRSABasedUserAuthenticationformoreinformationontheuse
ofRSAkeyswithSSHv2.
ThisexampleconfigurationenablestheCiscoIOSSSHclienttoperformRSAbasedserverauthentication.
hostnamerouter
ipdomainnamecisco.c
!GenerateRSAkeypairs
cryptokeygeneratersa
!ConfigureSSHRSAkeysforuserandserverauthenticationontheSSHserver
ipsshpubkeychain
!EnabletheSSHserverforpublickeyauthenticationontherouter
serverSSHservername
!SpecifytheRSApublickeyoftheremotepeer
!Youmustthenconfigureeitherthekeystringcommand
!(followedbytheRSApublickeyoftheremotepeer)orthe
keyhash<keytype><keyname>command(followedbytheSSHkey
!typeandversion.)
!EnsurethatserverauthenticationtakesplaceTheconnectionwillbe
!terminatedonafailure
ipsshstricthostkeycheck
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 8/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
ConsoleandAUXPorts
lineaux0
transportinputnoneortransportinputssh.
transportoutputnoneortransportoutputssh.
noexec
exectimeout01
nopassword
(transportinputoraccessclassconfiguration)IPSeccanbeusedforencryptedandsecureremoteaccessconnections
toadevice,ifsupported.IfyouuseIPSec,italsoaddsadditionalCPUoverheadtothedevice.However,SSHmuststillbe
enforcedasthetransportevenwhenIPSecisused.
WarningBanners
Noticethatthesystemistobeloggedintoorusedonlybyspecificallyauthorizedpersonnelandperhapsinformationabout
whocanauthorizeuse.
Noticethatanyunauthorizeduseofthesystemisunlawfulandcanbesubjecttocivilandcriminalpenalties.
Noticethatanyuseofthesystemcanbeloggedormonitoredwithoutfurthernoticeandthattheresultinglogscanbeused
asevidenceincourt.
Specificnoticesrequiredbylocallaws
Authentication,Authorization,andAccounting
aaanewmodel
aaaauthenticationlogindefaultgrouptacacs+
tacacsserverhost<ipaddressoftacacsserver>
tacacsserverkey<key>
AuthenticationFallback(ifAAAbecomeunavailable)
enablesecret<password>
UseofType7Passwords
DONTUSEIT
TACACS+CommandAuthorization(Example)
aaaauthorizationexecdefaultgrouptacacsnone
aaaauthorizationcommands0defaultgrouptacacsnone
aaaauthorizationcommands1defaultgrouptacacsnone
aaaauthorizationcommands15defaultgrouptacacsnone
or
aaaaccountingexecdefaultstartstopgrouptacacs
aaaaccountingcommands0defaultstartstopgrouptacacs
aaaaccountingcommands1defaultstartstopgrouptacacs
aaaaccountingcommands15defaultstartstopgrouptacacs
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 9/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
RedundantAAAServers
AvailabilityofAAAserversduringpotentialnetworkfailures
GeographicallydispersedplacementofAAAservers
LoadonindividualAAAserversinsteadystateandfailureconditions
NetworklatencybetweenNetworkAccessServersandAAAservers
AAAserverdatabasessynchronization
FortifytheSimpleNetworkManagementProtocol
ItiscriticalthatSNMPbeproperlysecuredinordertoprotecttheconfidentiality,integrity,andavailabilityofboththe
networkdataandthenetworkdevicesthroughwhichthisdatatransits.SNMPprovidesyouwithawealthofinformationon
thehealthofnetworkdevices.Thisinformationshouldbeprotectedfrommalicioususersthatwanttoleveragethisdatain
ordertoperformattacksagainstthenetwork.
SNMPCommunityStrings
snmpservercommunityREADONLYRO
snmpservercommunityREADWRITERW
SNMPCommunityStringswithACLs
accesslist98permit192.168.100.00.0.0.255
accesslist99permit192.168.100.1
snmpservercommunityREADONLYRO98
snmpservercommunityREADWRITERW99
SNMPViews
SNMPViewsareasecurityfeaturethatcanpermitordenyaccesstocertainSNMPMIBs(ManagementInformationBase
)
snmpserverviewVIEWSYSTEMONLYsysteminclude
snmpservercommunityLIMITEDviewVIEWSYSTEMONLYRO
SNMPVersion3
noauthThismodedoesnotrequireanyauthenticationnoranyencryptionofSNMPpackets
authThismoderequiresauthenticationoftheSNMPpacketwithoutencryption
privThismoderequiresbothauthenticationandencryption(privacy)ofeachSNMPpacket
AnauthoritativeengineIDmustexistinordertousetheSNMPv3securitymechanisms
#showsnmpengineID
Note:IftheengineIDischanged,allSNMPuseraccountsmustbereconfigured.
ThenextstepistoconfigureanSNMPv3group
snmpservergroupAUTHGROUPv3auth
ThiscommandconfiguresaCiscoIOSdeviceforSNMPv3withanSNMPservergroupPRIVGROUPandenablesboth
authenticationandencryptionforthisgroupwiththeprivkeyword
snmpservergroupPRIVGROUPv3priv
ThiscommandconfiguresanSNMPv3usersnmpv3userwithanMD5authenticationpasswordofauthpasswordanda
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 10/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
3DESencryptionpasswordofprivpassword
snmpserverusersnmpv3userPRIVGROUPv3authmd5authpasswordpriv3des
privpassword
ThiscommandconfiguresanSNMPv3usersnmpv3userwithanMD5authenticationpasswordofauthpasswordanda
3DESencryptionpasswordofprivpassword
ManagementPlaneProtection(MPP)
controlplanehost
managementinterfaceFastEthernet0/0allow(options)
LoggingBestPractices
SendLogstoaCentralLocation
logginghost<ipaddress>
OronaNonVolativeDisk
loggingbuffered
loggingpersistenturldisk0:/syslogsize134217728filesize16384
LoggingLevel(07)
Theglobalconfigurationcommandloggingtraplevelisusedinordertospecifywhichloggingmessagesaresentto
remotesyslogservers.Thelevelspecifiedindicatesthelowestseveritymessagethatissent.Forbufferedlogging,
theloggingbufferedlevelcommandisused.
loggingtrap6
loggingbuffered6
DoNotLogtoConsoleorMonitorSessions
nologgingconsole
nologgingmonitor
UseBufferedLogging
loggingbuffered163846
ConfigureLoggingSourceInterface
loggingsourceinterfaceLoopback0
ConfigureLoggingTimestamps
servicetimestampslogdatetimemsecshowtimezone
clocktimezonePST8
servicetimestampslogdatetimemseclocaltimeshowtimezone
ConfigurationReplaceandConfigurationRollback
archive
pathdisk0:archivedconfig
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 11/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
maximum14
timeperiod1440
writememory
ExclusiveConfigurationChangeAccess
configurationmodeexclusiveauto
CiscoIOSSoftwareResilientConfiguration
securebootimage
securebootconfig!
ConfigurationChangeNotificationandLogging
archive
logconfig
loggingenable
loggingsize200
hidekeys
notifysyslog
ControlPlane
Controlplanefunctionsconsistoftheprotocolsandprocessesthatcommunicatebetweennetworkdevicesinorderto
movedatafromsourcetodestination.ThisincludesroutingprotocolssuchastheBorderGatewayProtocol,aswellas
protocolslikeICMPandtheResourceReservationProtocol(RSVP).youcandisablethereceptionandtransmissionof
certaintypesofmessagesonaninterfaceinordertominimizetheamountofCPUloadthatisrequiredtoprocess
unneededpackets
IPICMPRedirects
noipredirects
ICMPUnreachables
noipunreachables
ipicmpratelimitunreachable
ProxyARP
noipproxyarp
LimitCPUImpactofControlPlaneTraffic
InorderproperlyprotectthecontrolplaneoftheCiscoIOSdevice,itisessentialtounderstandthetypesoftrafficthatis
processswitchedbytheCPU.Processswitchedtrafficnormallyconsistsoftwodifferenttypesoftraffic.Thefirsttypeof
trafficisdirectedtotheCiscoIOSdeviceandmustbehandleddirectlybytheCiscoIOSdeviceCPU.Thistrafficconsists
ofthiscategory:
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 12/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
Receiveadjacencytraffic(showipcef)
AccessControlListlogging
UnicastReversePathForwarding(UnicastRPF)
IPOptions
Fragmentation
Timetolive(TTL)Expiry
ICMPUnreachables
TrafficRequiringanARPRequest
NonIPTraffic
ControlPlanePolicing
DroppingtrafficfromunknownoruntrustedIPaddressescanpreventhostswithdynamicallyassignedIPaddressesfrom
connectingtotheCiscoIOSdevice
ControlPlaneProtection
PortfilteringfeatureThisfeatureprovidesforpolicinganddroppingofpacketsthataresenttoclosedornonlistening
TCPorUDPports.
QueuethresholdingfeatureThisfeaturelimitsthenumberofpacketsforaspecifiedprotocolthatareallowedinthe
controlplaneIPinputqueue.
SecureBGP
TheBorderGatewayProtocol(BGP)istheroutingfoundationoftheInternet.Assuch,anyorganizationwithmorethan
modestconnectivityrequirementsoftenusesBGP.BGPisoftentargetedbyattackersbecauseofitsubiquityandthe?set
andforget?natureofBGPconfigurationsinsmallerorganizations.However,therearemanyBGPspecificsecurityfeatures
thatcanbeleveragedtoincreasethesecurityofaBGPconfiguration.
TTLbasedSecurityProtections
Thisfeatureoftenrequirescoordinationfrompeeringroutershowever,onceenabled,itcancompletelydefeatmanyTCP
basedattacksagainstBGP
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>ttlsecurityhops<hopcount>
BGPPeerAuthenticationwithMD5
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>password<secret>
ConfigureMaximumPrefixes
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>maximumprefix<shutdownthreshold><logpercent>
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 13/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
FilterBGPPrefixeswithPrefixLists
PrefixlistsallowanetworkadministratortopermitordenyspecificprefixesthataresentorreceivedviaBGP.Prefixlists
shouldbeusedwherepossibleinordertoensurenetworktrafficissentovertheintendedpaths.Prefixlistsshouldbe
appliedtoeacheBGPpeerinboththeinboundandoutbounddirections
ipprefixlistBGPPLINBOUNDseq5permit0.0.0.0/0
ipprefixlistBGPPLOUTBOUNDseq5permit192.168.2.0/24
routerbgp<asn>
neighbor<ipaddress>prefixlistBGPPLINBOUNDin
neighbor<ipaddress>prefixlistBGPPLOUTBOUNDout
FilterBGPPrefixeswithAutonomousSystemPathAccessLists
ipaspathaccesslist1permit^65501$
ipaspathaccesslist2permit^$
routerbgp<asn>
neighbor<ipaddress>remoteas65501
neighbor<ipaddress>filterlist1in
neighbor<ipaddress>filterlist2out
SecureInteriorGatewayProtocols
RoutingProtocolAuthenticationandVerificationwithMessageDigest5
ThisisanexampleconfigurationforEIGRProuterauthenticationusingMD5:
keychain<keyname>
key<keyidentifier>
keystring<password>
interface<interface>
ipauthenticationmodeeigrp<asnumber>md5
ipauthenticationkeychaineigrp<asnumber><keyname>
ThisisanexampleMD5routerauthenticationconfigurationforRIPv2.RIPv1doesnotsupportauthentication.
keychain<keyname>
key<keyidentifier>
keystring<password>
interface<interface>
ipripauthenticationmodemd5
ipripauthenticationkeychain<keyname>
ThisisanexampleconfigurationforOSPFrouterauthenticationusingMD5.OSPFdoesnotutilizeKeyChains.
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 14/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
interface<interface>
ipospfmessagedigestkey<keyid>md5<password>
routerospf<processid>
network10.0.0.00.255.255.255area0
area0authenticationmessagedigest
PassiveInterfaceCommands
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>
RouteFiltering
EIGRPandRIP,usageofthedistributelistcommandwiththeoutkeywordlimitswhatinformationisadvertised,while
usageoftheinkeywordlimitswhatupdatesareprocessed.ThedistributelistcommandisavailableforOSPF,butitdoes
notpreventarouterfrompropagatingfilteredroutes.Instead,theareafilterlistcommandcanbeused.
ThisEIGRPexamplefiltersoutboundadvertisementswiththedistributelistcommandandaprefixlist:
ipprefixlist<listname>seq10permit<prefix>
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>
distributelistprefix<listname>out<interface>
ThisEIGRPexamplefiltersinboundupdateswithaprefixlist:
ipprefixlist<listname>seq10permit<prefix>
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>
distributelistprefix<listname>in<interface>
ThisOSPFexampleusesaprefixlistwiththeOSPFspecificareafilterlistcommand:
ipprefixlist<listname>seq10permit<prefix>
routerospf<processid>
area<areaid>filterlistprefix<listname>in
RoutingProcessResourceConsumption
RoutingProtocolprefixesarestoredbyarouterinmemory,andresourceconsumptionincreaseswithadditionalprefixes
thataroutermusthold.Inordertopreventresourceexhaustion,itisimportanttoconfiguretheroutingprotocoltolimit
resourceconsumption.ThisispossiblewithOSPFifyouusetheLinkStateDatabaseOverloadProtectionfeature
routerospf<processid>
maxlsa<maximumnumber>
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 15/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
SecureFirstHopRedundancyProtocols
TheGatewayLoadBalancingProtocol(GLBP),HotStandbyRouterProtocol(HSRP),andVirtualRouterRedundancy
Protocol(VRRP)areallFHRPs.Bydefault,theseprotocolscommunicatewithunauthenticatedcommunications.Inorderto
preventthistypeofattack,allFHRPsthataresupportedbyCiscoIOSsoftwareincludeanauthenticationcapabilitywith
eitherMD5ortextstrings.BecauseofthethreatposedbyunauthenticatedFHRPs,itisrecommendedthatinstancesof
theseprotocolsuseMD5authentication
interfaceFastEthernet1
description***GLBPAuthentication***
glbp1authenticationmd5keystring<glbpsecret>
glbp1ip10.1.1.1
interfaceFastEthernet2
description***HSRPAuthentication***
standby1authenticationmd5keystring<hsrpsecret>
standby1ip10.2.2.1
interfaceFastEthernet3
description***VRRPAuthentication***
vrrp1authenticationmd5keystring<vrrpsecret>
vrrp1ip10.3.3.1
DataPlane
Althoughthedataplaneisresponsibleformovingdatafromsourcetodestination,withinthecontextofsecurity,thedata
planeistheleastimportantofthethreeplanes.Itisforthisreasonthatitisimportanttoprotectthemanagementand
controlplanesinpreferenceoverthedataplanewhenyousecureanetworkdevice
IPOptionsSelectiveDrop
TherearetwosecurityconcernspresentedbyIPoptions.TrafficthatcontainsIPoptionsmustbeprocessswitchedby
CiscoIOSdevices,whichcanleadtoelevatedCPUload.IPoptionsalsoincludethefunctionalitytoalterthepaththat
traffictakesthroughthenetwork,whichpotentiallyallowsittosubvertsecuritycontrols
ipoptions{drop|ignore}
DisableIPSourceRouting
IfIPoptionshavenotbeencompletelydisabledviatheIPOptionsSelectiveDropfeature,itisimportantthatIPsource
routingisdisabled.
noipsourceroute
DisableICMPRedirects
interfaceFastEthernet0
noipredirects
DisableorLimitIPDirectedBroadcasts
Ifanetworkabsolutelyrequiresdirectedbroadcastfunctionality,itsuseshouldbecontrolled.Thisispossiblewiththeuse
ofanaccesscontrollistasanoptiontotheipdirectedbroadcastcommand
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 16/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
accesslist100permitudp192.168.1.00.0.0.255any
interfaceFastEthernet0
ipdirectedbroadcast100
FilterTransitTrafficwithTransitACLs
ItispossibletocontrolwhattraffictransitsthenetworkwiththeuseoftransitACLs(tACLs).Thisisincontrastto
infrastructureACLsthatseektofiltertrafficthatisdestinedtothenetworkitself.ThefilteringprovidedbytACLsis
beneficialwhenitisdesirabletofiltertraffictoaparticulargroupofdevicesortrafficthattransitsthenetwork
ICMPPacketFiltering
ipaccesslistextendedACLTRANSITIN
!PermitICMPpacketsfromtrustednetworksonly
permiticmphost<trustednetworks>any
!DenyallotherIPtraffictoanynetworkdevice
denyicmpanyany
FilterIPFragments
ipaccesslistextendedACLTRANSITIN
!DenyIPfragmentsusingprotocolspecificACEstoaidin
!classificationofattacktraffic
denytcpanyanyfragments
denyudpanyanyfragments
denyicmpanyanyfragments
denyipanyanyfragments
ACLSupportforFilteringIPOptions
ipaccesslistextendedACLTRANSITIN
!DenyIPpacketscontainingIPoptions
denyipanyanyoptionanyoptions
AntiSpoofingProtections
ManyattacksusesourceIPaddressspoofingtobeeffectiveortoconcealthetruesourceofanattackandhinderaccurate
traceback.CiscoIOSsoftwareprovidesUnicastRPFandIPSourceGuard(IPSG)inordertodeterattacksthatrelyon
sourceIPaddressspoofing.Inaddition,ACLsandnullroutingareoftendeployedasamanualmeansofspoofing
prevention.
UnicastRPF
UnicastRPFenablesadevicetoverifythatthesourceaddressofaforwardedpacketcanbereachedthroughtheinterface
thatreceivedthepacket.YoumustnotrelyonUnicastRPFastheonlyprotectionagainstspoofing.Spoofedpacketscould
enterthenetworkthroughaUnicastRPFenabledinterfaceifanappropriatereturnroutetothesourceIPaddressexists.
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 17/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
UnicastRPFreliesonyoutoenableCiscoExpressForwardingoneachdeviceandisconfiguredonaperinterfacebasis
ipcef
interface<interface>
ipverifyunicastsourcereachablevia<mode>
IPSourceGuard
IPSourceGuardisaneffectivemeansofspoofingpreventionthatcanbeusedifyouhavecontroloverLayer2interfaces.
IPSourceGuardusesinformationfromDHCPsnoopingtodynamicallyconfigureaportaccesscontrollist(PACL)onthe
Layer2interface,denyinganytrafficfromIPaddressesthatarenotassociatedintheIPsourcebindingtable.
ipdhcpsnooping
ipdhcpsnoopingvlan<vlanrange>
afterDHCPsnoopingisenabled,thesecommandsenableIPSG:
interface<interfaceid>
ipverifysource
PortSecurity
Portsecuritycanbeenabledwiththeipverifysourceportsecurityinterfaceconfigurationcommand.Thisrequiresthe
globalconfigurationcommandipdhcpsnoopinginformationoptionadditionally,theDHCPservermustsupportDHCP
option82.
interface<interface>
switchport
switchportmodeaccess
switchportportsecurity
switchportportsecuritymacaddresssticky
switchportportsecuritymaximum<number>
switchportportsecurityviolation<violationmode>
DynamicARPInspection
DynamicARPInspection(DAI)canbeusedinordertomitigateARPpoisoningattacksonlocalsegments.AnARP
poisoningattackisamethodinwhichanattackersendsfalsifiedARPinformationtoalocalsegment.Thisinformationis
designedinordertocorrupttheARPcacheofotherdevices.OftenanattackerusesARPpoisoninginordertoperforma
maninthemiddleattack.
ipdhcpsnooping
ipdhcpsnoopingvlan<vlanrange>
OnceDHCPsnoopinghasbeenenabled,thesecommandsenableDAI:
iparpinspectionvlan<vlanrange>
InnonDHCPenvironments,ARPACLsarerequiredtoenableDAI.Thisexampledemonstratesthebasic
configurationofDAIwithARPACLs:
arpaccesslist<aclname>
permitiphost<senderip>machost<sendermac>
iparpinspectionfilter<arpaclname>vlan<vlanrange>
AntiSpoofingACLs
ManuallyconfiguredACLscanprovidestaticantispoofingprotectionagainstattacksthatuseknownunusedanduntrusted
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 18/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
addressspace.Commonly,theseantispoofingACLsareappliedtoingresstrafficatnetworkboundariesasacomponentof
alargerACL.AntispoofingACLsrequireregularmonitoringbecausetheycanfrequentlychange.Spoofingcanbe
minimizedintrafficthatoriginatesfromthelocalnetworkifyouapplyoutboundACLsthatlimitthetraffictovalidlocal
addresses.
LimitCPUImpactofDataPlaneTraffic
Theprimarypurposeofroutersandswitchesistoforwardpacketsandframesthroughthedeviceonwardtofinal
destinations.Thesepackets,whichtransitthedevicesdeployedthroughoutthenetwork,canimpactCPUoperationsofa
device.Thedataplane,whichconsistsoftrafficthattransitsthenetworkdevice,shouldbesecuredtoensuretheoperation
ofthemanagementandcontrolplanes.Iftransittrafficcancauseadevicetoprocessswitchtraffic,thecontrolplaneofa
devicecanbeaffectedwhichmayleadtoanoperationaldisruption
TrafficIdentificationandTraceback
Attimes,youcanneedtoquicklyidentifyandtracebacknetworktraffic,especiallyduringincidentresponseorpoornetwork
performance.NetFlowandClassificationACLsarethetwoprimarymethodstoaccomplishthiswithCiscoIOSsoftware.
NetFlowcanprovidevisibilityintoalltrafficonthenetwork.Additionally,NetFlowcanbeimplementedwithcollectorsthat
canprovidelongtermtrendingandautomatedanalysis.ClassificationACLsareacomponentofACLsandrequirepre
planningtoidentifyspecifictrafficandmanualinterventionduringanalysis.Thesesectionsprovideabriefoverviewofeach
feature
NetFlow
CEF,ordistributedCEF,isaprerequisitetoenablingNetFlow.NetFlowcanbeconfiguredonroutersandswitches
ipflowexportdestination<ipaddress><udpport>
ipflowexportversion<version>
interface<interface>
ipflow<ingess|egress>
ClassificationACLs
AnadministratorcanexpediteanincidentresponsebyusingclassificationACLswiththeshowaccesslistandclearip
accesslistcountersEXECcommands
ipaccesslistextendedACLSMBCLASSIFY
remarkExistingcontentsofACL
remarkClassificationofSMBspecificTCPtraffic
denytcpanyanyeq139
denytcpanyanyeq445
denyipanyany
showaccesslistACLSMBCLASSIFY
AccessControlwithVLANMapsandPortAccessControlLists
VACLs,orVLANmapsthatapplytoallpacketsthatentertheVLAN,providethecapabilitytoenforceaccesscontrolon
intraVLANtraffic.ThisisnotpossiblewithACLsonroutedinterfaces.Forexample,aVLANmapmightbeusedinorderto
preventhoststhatarecontainedwithinthesameVLANfromcommunicationwitheachother,whichreducesopportunities
forlocalattackersorwormstoexploitahostonthesamenetworksegment.InordertodenypacketsfromusingaVLAN
map,youcancreateanaccesscontrollist(ACL)thatmatchesthetrafficand,intheVLANmap,settheactiontodrop.
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 19/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
OnceaVLANmapisconfigured,allpacketsthatentertheLANaresequentiallyevaluatedagainsttheconfiguredVLAN
map.VLANaccessmapssupportIPv4andMACaccesslistshowever,theydonotsupportloggingorIPv6ACLs.
ipaccesslistextended<aclname>
permit<protocol><sourceaddress><sourceport><destinationaddress>
<destinationport>
vlanaccessmap<name><number>
matchipaddress<aclname>
action<drop|forward>
ThisexampledemonstratestheuseofaVLANmapinordertodenyTCPports139and445aswellasthevinesip
protocol:
ipaccesslistextendedVACLMATCHANY
permitipanyany
ipaccesslistextendedVACLMATCHPORTS
permittcp192.168.1.00.0.0.255192.168.1.00.0.0.255eq445
permittcp192.168.1.00.0.0.255192.168.1.00.0.0.255eq139
macaccesslistextendedVACLMATCHVINES
permitanyanyvinesip
vlanaccessmapVACL10
matchipaddressVACLMATCHVINES
actiondrop
vlanaccessmapVACL20
matchipaddressVACLMATCHPORTS
actiondrop
vlanaccessmapVACL30
matchipaddressVACLMATCHANY
actionforward
vlanfilterVACLvlan100
AccessControlwithPACLs(PortsACL)
ipaccesslistextended<aclname>
permit<protocol><sourceaddress><sourceport><destinationaddress>
<destinationport>
interface<type><slot/port>
switchportmodeaccess
switchportaccessvlan<vlan_number>
ipaccessgroup<aclname>in
AccessControlwithMAC
Cat6KIOS(configif)#macpacketclassify
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 20/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
PrivateVLANUse
PrivateVLANs(PVLANs)areaLayer2securityfeaturethatlimitsconnectivitybetweenworkstationsorserverswithina
VLAN.WithoutPVLANs,alldevicesonaLayer2VLANcancommunicatefreely.Networkingsituationsexistwhere
securitycanbeaidedbylimitingcommunicationbetweendevicesonasingleVLAN.Forexample,PVLANsareoftenused
inordertoprohibitcommunicationbetweenserversinapubliclyaccessiblesubnet.Shouldasingleserverbecome
compromised,thelackofconnectivitytootherserversduetotheapplicationofPVLANsmighthelplimitthecompromiseto
theoneserver.
TherearethreetypesofPrivateVLANs:isolatedVLANs,communityVLANs,andprimaryVLANs.Theconfigurationof
PVLANsmakesuseofprimaryandsecondaryVLANs.TheprimaryVLANcontainsallpromiscuousports,whichare
describedlater,andincludesoneormoresecondaryVLANs,whichcanbeeitherisolatedorcommunityVLANs.
vlan11
privatevlanisolated
vlan20
privatevlanprimary
privatevlanassociation11
interfaceFastEthernet1/1
description***PortinIsolatedVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2011
CommunityVLANs
vlan12
privatevlancommunity
vlan20
privatevlanprimary
privatevlanassociation12
interfaceFastEthernet1/2
description***PortinCommunityVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2012
PromiscuousPorts
SwitchportsthatareplacedintotheprimaryVLANareknownaspromiscuousports.Promiscuousportscancommunicate
withallotherportsintheprimaryandsecondaryVLANs.Routerorfirewallinterfacesarethemostcommondevicesfound
ontheseVLANs.
vlan11
privatevlanisolated
vlan12
privatevlancommunity
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 21/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis
vlan20
privatevlanprimary
privatevlanassociation1112
interfaceFastEthernet1/1
description***PortinIsolatedVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2011
interfaceFastEthernet1/2
description***PortinCommunityVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2012
interfaceFastEthernet1/12
description***PromiscuousPort***
switchportmodeprivatevlanpromiscuous
switchportprivatevlanmapping20add1112
WhenyouimplementPVLANs,itisimportanttoensurethattheLayer3configurationinplacesupportstherestrictionsthat
areimposedbyPVLANsanddoesnotallowforthePVLANconfigurationtobesubverted.Layer3filteringwithaRouter
ACLorfirewallcanpreventthesubversionofthePVLANconfiguration
Previouspost Nextpost
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 22/22