Cisco - Cisco Guide to Harden Cisco IOS Devices


of 55
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Cisco - Cisco Guide to Harden Cisco IOS Devices Page 1 of 55 Document ID: 13608 Contents Introduction Prerequisites Requirements Components Used Conventions Secure Operations Monitor Cisco Security Advisories and Responses Leverage Authentication, Authorization, and Accounting Centralize Log Collection and Monitoring Use Secure Protocols When Possible Gain Traffic Visibility with NetFlow Configuration Management Management Plane General Management Plane Hardening Limiting Access to the Network
    Document ID: 13608Introduction This document contains information to help you secure your Cisco IOS ®  system devices, which increases the overall security of your network.Structured around the three planes into which functions of a network device can be categorized, this document provides an overview of each includedfeature and references to related documentation.The three functional planes of a network, the management plane, control plane, and data plane, each provide different functionality that needs to beprotected.  Management Plane  —The management plane manages traffic that is sent to the Cisco IOS device and is made up of applications andprotocols such as SSH and SNMP.  Control Plane  —The control plane of a network device processes the traffic that is paramount to maintaining the functionality of the networkinfrastructure. The control plane consists of applications and protocols between network devices, which includes the Border Gateway Protocol(BGP), as well as the Interior Gateway Protocols (IGPs) such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open ShortestPath First (OSPF).  Data Plane  —The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco IOSdevice.The coverage of security features in this document often provides enough detail for you to configure the feature. However, in cases where it does not,the feature is explained in such a way that you can evaluate whether additional attention to the feature is required. Where possible and appropriate,this document contains recommendations that, if implemented, help secure a network. PrerequisitesRequirements There are no specific requirements for this document. Contents Introduction Prerequisites  Requirements Components Used Conventions  Secure Operations  Monitor Cisco Security Advisories and Responses Leverage Authentication, Authorization, and Accounting Centralize Log Collection and Monitoring Use Secure Protocols When Possible Gain Traffic Visibility with NetFlow Configuration Management  Management Plane  General Management Plane Hardening Limiting Access to the Network with Infrastructure ACLs Securing Interactive Management Sessions Using Authentication, Authorization, and Accounting Fortifying the Simple Network Management Protocol Logging Best Practices Cisco IOS Software Configuration Management  Control Plane  General Control Plane Hardening Limiting CPU Impact of Control Plane Traffic Securing BGP Securing Interior Gateway Protocols Securing First Hop Redundancy Protocols  Data Plane  General Data Plane Hardening Filtering Transit Traffic with Transit ACLs Anti-Spoofing Protections Limiting CPU Impact of Data Plane Traffic Traffic Identification and TracebackAccess Control with VLAN Maps and Port Access Control Lists Using Private VLANs  Conclusion Acknowledgments Appendix: Cisco IOS Device Hardening Checklist  Management Plane Control Plane Data Plane  Cisco Support Community - Featured Conversations Related Information    Page 1of 55Cisco - Cisco Guide to Harden Cisco IOS Devices2/23/2012http://kbase/paws/servlet/ViewFile/13608/21.xml?convertPaths=1  Components Used This document is not restricted to specific software and hardware versions. Conventions Refer toCisco Technical Tips Conventionsfor more information on document conventions. Some command line examples in this document arewrapped to enhance readability. Secure Operations Secure network operations is a substantial topic. Although most of this document is devoted to the secure configuration of a Cisco IOS device,configurations alone do not completely secure a network. The operational procedures in use on the network contribute as much to security as theconfiguration of the underlying devices.These topics contain operational recommendations that you are advised to implement. These topics highlight specific critical areas of networkoperations and are not comprehensive. Monitor Cisco Security Advisories and Responses The Cisco Product Security Incident Response Team (PSIRT) creates and maintains publications, commonly referred to as PSIRT Advisories, forsecurity-related issues in Cisco products. The method used for communication of less severe issues is the Cisco Security Response. Securityadvisories and responses are available at information about these communication vehicles is available in theCisco Security Vulnerability Policy.In order to maintain a secure network, you need to be aware of the Cisco security advisories and responses that have been released. You need tohave knowledge of a vulnerability before the threat it can pose to a network can be evaluated. Refer toRisk Triage for Security VulnerabilityAnnouncementsfor assistance this evaluation process. Leverage Authentication, Authorization, and Accounting The Authentication, Authorization, and Accounting (AAA) framework is vital to securing network devices. The AAA framework provides authenticationof management sessions and can also limit users to specific, administrator-defined commands and log all commands entered by all users. See theUsing Authentication, Authorization, and Accountingsection of this document for more information about leveraging AAA. Centralize Log Collection and Monitoring In order to gain an understanding of existing, emerging, and historic events related to security incidents, your organization needs to have a unifiedstrategy for event logging and correlation. This strategy must leverage logging from all network devices and use pre-packaged and customizablecorrelation capabilities.After centralized logging is implemented, you must develop a structured approach to log analysis and incident tracking. Based on the needs of yourorganization, this approach can range from a simple diligent review of log data to advanced rule-based analysis.See theLogging Best Practicessection of this document for more information about how to implement logging on Cisco IOS network devices. Use Secure Protocols When Possible Many protocols are used in order to carry sensitive network management data. You must use secure protocols whenever possible. A secure protocolchoice includes the use of SSH instead of Telnet so that both authentication data and management information are encrypted. In addition, you mustuse secure file transfer protocols when you copy configuration data. An example is the use of the Secure Copy Protocol (SCP) in place of FTP orTFTP.See theSecuring Interactive Management Sessionssection of this document for more information about the secure management of Cisco IOSdevices. Gain Traffic Visibility with NetFlow NetFlow enables you to monitor traffic flows in the network. Originally intended to export traffic information to network management applications,NetFlow can also be used in order to show flow information on a router. This capability allows you to see what traffic traverses the network in real time.Regardless of whether flow information is exported to a remote collector, you are advised to configure network devices for NetFlow so that it can beused reactively if needed.More information about this feature is available in theTraffic Identification and Tracebacksection of this document and at only) . Configuration Management Configuration management is a process by which configuration changes are proposed, reviewed, approved, and deployed. Within the context of aCisco IOS device configuration, two additional aspects of configuration management are critical: configuration archival and security.You can use configuration archives to roll back changes that are made to network devices. In a securitycontext, configuration archives can also be   Page 2of 55Cisco - Cisco Guide to Harden Cisco IOS Devices2/23/2012http://kbase/paws/servlet/ViewFile/13608/21.xml?convertPaths=1  used in order to determine which security changes were made and when these changes occurred. In conjunction with AAA log data, this informationcan assist in the security auditing of network devices.The configuration of a Cisco IOS device contains many sensitive details. Usernames, passwords, and the contents of access control lists areexamples of this type of information. The repository that you use in order to archive Cisco IOS device configurations needs to be secured. Insecureaccess to this information can undermine the security of the entire network. Management Plane The management plane consists of functions that achieve the management goals of the network. This includes interactive management sessionsusing SSH, as well as statistics-gathering with SNMP or NetFlow. When you consider the security of a network device, it is critical that themanagement plane be protected. If a security incident is able to undermine the functions of the management plane, it can be impossible for you torecover or stabilize the network.These sections of this document detail the security features and configurations available in Cisco IOS software that help fortify the management plane. General Management Plane Hardening The management plane is used in order to access, configure, and manage a device, as well as monitor its operations and the network on which it isdeployed. The management plane is the plane that receives and sends traffic for operations of these functions. You must secure both themanagement plane and control plane of a device, as operations of the control plane directly affect operations of the management plane. This list ofprotocols is used by the management plane:  Simple Network Management Protocol  Telnet  Secure Shell Protocol  File Transfer Protocol  Trivial File Transfer Protocol  Secure Copy Protocol  TACACS+  RADIUS  NetFlow  Network Time Protocol  SyslogSteps must be taken to ensure the survival of the management and control planes during security incidents. If one of these planes is successfullyexploited, all planes can be compromised. Password Management Passwords control access to resources or devices. This is accomplished through the definition a password or secret that is used in order toauthenticate requests. When a request is received for access to a resource or device, the request is challenged for verification of the password andidentity, and access can be granted, denied, or limited based on the result. As a security best practice, passwords must be managed with a TACACS+or RADIUS authentication server. However, note that a locally configured password for privileged access is still be needed in the event of failure of theTACACS+ or RADIUS services. A device can also have other password information present within its configuration, such as an NTP key, SNMPcommunity string, or Routing Protocol key.The enable secret command is used in order to set the password that grants privileged administrative access to the Cisco IOS system. The enablesecret command must be used, rather than the older enable password command. The enable password command uses a weak encryptionalgorithm.If no enable secret is set and a password is configured for the console tty line, the console password can be used in order to receive privileged access,even from a remote virtual tty (vty) session. This action is almost certainly unwanted and is another reason to ensure configuration of an enable secret.The service password-encryption global configuration command directs the Cisco IOS software to encrypt the passwords, Challenge HandshakeAuthentication Protocol (CHAP) secrets, and similar data that are saved in its configuration file. Such encryption is useful in order to prevent casualobservers from reading passwords, such as when they look at the screen over the muster of an administrator. However, the algorithm used by the service password-encryption command is a simple Vigenère cipher. The algorithm is not designed to protect configuration files against seriousanalysis by even slightly sophisticated attackers and must not be used for this purpose. Any Cisco IOS configuration file that contains encryptedpasswords must be treated with the same care that is used for a cleartext list of those same passwords.While this weak encryption algorithm is not used by the enable secret command, it is used by the enable password global configuration command,as well as the password line configuration command. Passwords of this type must be eliminated and the enable secret command or theEnhancedPassword Securityfeature needs to be used.   Page 3of 55Cisco - Cisco Guide to Harden Cisco IOS Devices2/23/2012http://kbase/paws/servlet/ViewFile/13608/21.xml?convertPaths=1  The enable secret command and the Enhanced Password Security feature use Message Digest 5 (MD5) for password hashing. This algorithm hashad considerable public review and is not known to be reversible. However, the algorithm is subject to dictionary attacks. In a dictionary attack, anattacker tries every word in a dictionary or other list of candidate passwords in order to find a match. Therefore, configuration files must be securelystored and only shared with trusted individuals. Enhanced Password Security The feature Enhanced Password Security, introduced in Cisco IOS Software Release 12.2(8)T, allows an administrator to configure MD5 hashing ofpasswords for the username command. Prior to this feature, there were two types of passwords: Type 0, which is a cleartext password, and Type 7,which uses the algorithm from the Vigenère cipher. The Enhanced Password Security feature cannot be used with protocols that require the cleartextpassword to be retrievable, such as CHAP.In order to encrypt a user password with MD5 hashing, issue the username secret global configuration command. !  username <name> secret <password> !  Refer toEnhanced Password Securityfor more information about this feature. Login Password Retry Lockout The Login Password Retry Lockout feature, added in Cisco IOS Software Release 12.3(14)T, allows an you to lock out a local user account after aconfigured number of unsuccessful login attempts. Once a user is locked out, their account is locked until you unlock it. An authorized user who isconfigured with privilege level 15 cannot be locked out with this feature. The number of users with privilege level 15 must be kept to a minimum.Note that authorized users can lock themselves out of a device if the number of unsuccessful login attempts is reached. Additionally, a malicious usercan create a denial of service (DoS) condition with repeated attempts to authenticate with a valid username.This example shows how to enable the Login Password Retry Lockout feature: !  aaa new-modelaaa local authentication attempts max-fail <max-attempts>aaa authentication login default local !  username <name> secret <password> !  This feature also applies to authentication methods such as CHAP and Password Authentication Protocol (PAP).Refer toLogin Password Retry Lockoutfor more information about this feature. No Service Password-Recovery In Cisco IOS Software Release 12.3(14)T and later, the No Service Password-Recovery feature does not allow anyone with console access toinsecurely access the device configuration and clear the password. It also does not allow malicious users to change the configuration register valueand access NVRAM. !  no service password-recovery !  Cisco IOS software provides a password recovery procedure that relies upon access to ROMMON mode using the Break key during system startup. InROMMON mode, the device software can be reloaded to prompt a newsystem configuration that includes a new password.   Page 4of 55Cisco - Cisco Guide to Harden Cisco IOS Devices2/23/2012http://kbase/paws/servlet/ViewFile/13608/21.xml?convertPaths=1
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks