Page 1 of 4
Home Personal Unix Programming Networking Cisco Songbook Programming Tools Basic Cisco Router Security Getting contact info on the Internet Why Mail fails Basic Network Troubleshooting Network and System Monitoring Primers Documents Reporting Weblog CityRail BOM pictures Other projects Contact me
Network layout
For this document we have the following layout of the network:
The following assumptions regarding network design are made: There is a difference in the IP space for the network and for the user LANs. This makes it possible to distinguise traffic from user LANS from traffic within the network. Despite the fact that there is a firewall in the picture, this document only describes security on the routers. It's there only to complete the picture. The IP space of the network management LAN is dedicated to network management systems. No other systems are there. User LANs are not allowed to access the network infrastructure. If people on a user LAN want to access the network, they have to hop via the network management LAN. User LANs IP subnet Comment On router-A 130.140.254.0/24 On router-B 130.140.2.0/24 On router-D Network Management LAN Firewall LAN Link to public internet
On router-C 130.140.1.0/24 and 130.140.5.0/24 Via a router of the user The network management LAN has a rich set of features. This includes, but will not be limited to, a TACACS+ server, an NTP server, a syslog server and an SNMP server. The routers use an external authentication mechanism, like a TACACS+. Each router has a loopback interface. Device name Loopback IP address router-A router-B router-C router-D 10.254.254.1 10.254.254.2 10.254.254.4 10.254.254.5
http://www.mavetju.org/networking/security.php
11/23/2008
Page 2 of 4
There are a couple of things which are assumed to have happened: The routers have hostnames router(config)#hostname router-A The routers have loopback interfaces. The loopback interface will be used as source-address for all the outgoing IP traffic and as interface to connect to the router. As long as one of the physical interfaces is up, the loopback interface will be reachable. router-A(config)#interface loopback0 router-A(config-if)#ip address <Loopback IP address> 255.255.255.255 All the routers should have their clocks right. Without this, it is not possible to do fast and proper debugging and analyzing. router-A(config)#clock timezone UTC 0 router-A(config)#service timestamps log datetime show-timezone router-A(config)#service timestamps debug datetime show-timezone
Access security
This part describes security to access the router via normal telnet. Authentication is done via TACACS+. The router should use it for both login- and enable-authentication. If no connection could be made with the authentication server it should fall back on the enable password. router-A(config)#aaa new-model router-A(config)#aaa authentication login default tacacs+ enable router-A(config)#aaa authentication enable default tacacs+ enable router-A(config)#tacacs-server host <ip address of TACACS+ server> router-A(config)#ip tacacs source-interface loopback0 Now an enable password should be defined. Cisco routers have three types of password-encryptions: Type 0: no encryption. All your passwords are plain text. Type 7: password is encrypted, but can be decrypted. Type 5: password is an MD5 hash, it cannot be decrypted. router-A(config)#service password-encryption router-A(config)#enable secret <password> Only TCP connections coming from the network management LAN are allowed to access the routers. router-A(config)#no access-list 1 router-A(config)#access-list 1 permit <subnet address of network management LAN> <subnet mask> Next it's finally time to enable the possibilities to login. There will no passwords specified on the lines because that's configured with the aaa statements. A 30-minute time-out shall be standard on all console and virtual terminal lines. router-A(config)#line console 0 router-A(config-line)#exec-timeout 30 0 router-A(config-line)#line aux 0 router-A(config-line)#no exec router-A(config-line)#transport input all router-A(config-line)#line vty 0 4 router-A(config-line)#access-list 1 in router-A(config-line)#exec-timeout 30 0 In the past, it was possible to access the router via the chargen or echo ports. These services are not needed and should be disabled: router-A(config)#no service udp-small-servers router-A(config)#no service tcp-small-servers
SNMP security
SNMP is used to retrieve data from remote machines. This should only be allowed by machines on the network management LAN. If you want to allow non-network management hosts to have SNMP access to a router, put them in a different access-list and give them a uniq community-string. router-A(config)#no access-list 3 router-A(config)#access-list 3 permit <subnet address of network management LAN> <subnet mask> router-A(config)#no access-list 4 router-A(config)#access-list 4 deny any
http://www.mavetju.org/networking/security.php
11/23/2008
Page 3 of 4
Let the router send its SNMP information to the SNMP server, which is on the network management LAN. If there is an unauthorized attempt to access the router via SNMP, let it send a warning to the SNMP server. Limit the machines which can perform SNMP queries to the machines on the network management LAN. Also disable the possibility to do a system shutdown via SNMP. router-A(config)#snmp-server community <community-string> RW 3 router-A(config)#snmp-server community <community-string> RO 4 router-A(config)#snmp-server host <ip address of SNMP server> <community-string> router-A(config)#snmp-server trap-source loopback0 router-A(config)#snmp-server enable traps snmp authentication router-A(config)#no snmp-server system-shutdown router-A(config)#snmp-server tftp-server-list 3
Logging security
The logging done by the routers can be send to a central host. If you enable this, make sure the syslog-deamom op that host allows syslog-messages from remote machines. router-A(config)#logging router-A(config)#logging router-A(config)#logging router-A(config)#logging router-A(config)#logging buffered console debugging trap informational source-interface loopback0 <ip address of syslog server>
NTP security
Knowledge of the time with regarding to debugging, general logging and analyzing of problems is very important. Therefor all routers should have their time to a single source and accept no time information from any other source. It is also possible to configure routers to act as NTP servers for either other routers or to hosts on the user LAN. router-A(config)#no access-list 5 router-A(config)#access-list 5 permit <ip address of NTP server> router-A(config)#no access-list 6 router-A(config)#access-list 6 deny all router-A(config)#ntp router-A(config)#ntp router-A(config)#ntp router-A(config)#ntp access-group peer 5 access-group serve 6 source loopback 0 server <ip address of NTP server>
http://www.mavetju.org/networking/security.php
11/23/2008
Page 4 of 4
router-A(config)#interface ethernet0 router-A(config-if)#no cdp enable Do not forward IP packets with source-routing header options enabled: router-A(config)#no ip source-route Do not answer to ARP requests for hosts which are not on the user LAN: router-A(config)#interface ethernet0 router-A(config-if)#no ip proxy-arp Only allow packets which are expected to come from the user LAN and are ment for other user LANs. That means, don't forward packets to network devices: router-A(config)#ip access-list extended outgoing_e0 router-A(config-ext-acl)#deny ip any <ip space of network> <subnet mask> any router-A(config-ext-acl)#permit ip <subnet address of user LAN> <subnet mask> any router-A(config-ext-acl)#deny ip any any router-A(config)#interface ethernet0 router-A(config-if)#ip access-group outgoing_e0 in
http://www.mavetju.org/networking/security.php
11/23/2008