Options
Cisco Router Configuration - Security Hardened
RS_MCP
Member Posts: 352
Hi All,
I would like my Router configuration below to be secured and protected as much as possible, can you help me acheive this. I already have a the basic Cisco IOS Firewall configured, what other features can I add?
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 7 xxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW dns
ip inspect name FW icmp
ip inspect name FW telnet
ip inspect name FW ssh
ip inspect name FW http
ip inspect name FW https
ip inspect name FW ftp
ip inspect name FW kazaa
ip inspect name FW parameter max-sessions 1000
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name xxxxxxxxx
!
!
!
!
username lyvadmin privilege 15 password 7 xxxxxxxxx
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
description ***Outside***
ip address xxxxxxxxx
ip inspect FW out
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface Vlan1
description ***Inside***
ip address 192.168.250.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxx
!
no ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0/0 overload
!
access-list 110 permit ip 192.168.250.0 0.0.0.255 any
access-list 110 deny ip any any
!
control-plane
!
!
line con 0
password 7 xxxxxxxxx
logging synchronous
login
line aux 0
line vty 0 4
password 7 xxxxxxxxx
logging synchronous
login local
transport input ssh
!
end
I would like my Router configuration below to be secured and protected as much as possible, can you help me acheive this. I already have a the basic Cisco IOS Firewall configured, what other features can I add?
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxx
!
boot-start-marker
boot-end-marker
!
no logging console
enable password 7 xxxxxxxxx
!
no aaa new-model
ip cef
!
!
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW dns
ip inspect name FW icmp
ip inspect name FW telnet
ip inspect name FW ssh
ip inspect name FW http
ip inspect name FW https
ip inspect name FW ftp
ip inspect name FW kazaa
ip inspect name FW parameter max-sessions 1000
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip domain lookup
ip domain name xxxxxxxxx
!
!
!
!
username lyvadmin privilege 15 password 7 xxxxxxxxx
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
description ***Outside***
ip address xxxxxxxxx
ip inspect FW out
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface Vlan1
description ***Inside***
ip address 192.168.250.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxxxxxxxx
!
no ip http server
no ip http secure-server
ip nat inside source list 110 interface FastEthernet0/0 overload
!
access-list 110 permit ip 192.168.250.0 0.0.0.255 any
access-list 110 deny ip any any
!
control-plane
!
!
line con 0
password 7 xxxxxxxxx
logging synchronous
login
line aux 0
line vty 0 4
password 7 xxxxxxxxx
logging synchronous
login local
transport input ssh
!
end
Comments
-
Options
jason_lunde
Member Posts: 567
Hey man,
Just for starters you might get an acl inbound on that outside interface ASAP. Then I would enable AAA, and create a username/secret and and enable secret. Protect your config by getting rid of those pw 7's. That will get you going...then look at disabling unnecessary services, etc... -
Optionspeanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
In addition to what Jason suggested, I would suggest you get in the habit of not using vlan 1. Also, you may want to disable CDP on your WAN interface unless you need to discover (or be discovered). Outside of that, I think you're good on your configs. HTH.
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
The NSA and SANs guides for securing Cisco Routers have been around for a while and are good starting points.
Under the Cisco Router Guides section on the NSAs Current Security Configuration Guides web page you'll find the Router Security Configuration Guide, Executive Summary PDF which will get you started quickly -- and then the complete Router Security Configuration Guide, Release 1.1c PDF which should take you a bit longer to page through.
The SANs Cisco Router Hardening Step by Step PDF is here
Then you'd want to head over to the Cisco web site and peruse the Cisco Guide to Harden Cisco IOS Devices web page. You can also grab a PDF copy from that page. A lot of the basics should look familiar from the NSA and SANs guides, but you should find some newer tidbits included in the Cisco web page.
You can also grab some popcorn and watch the 20 minute video on Hardening Cisco IOS Devices on the Cisco Learning Network. You'll have to log in to view (registration is free).
Then if you're still paranoid about security you can hit up the big boy security documents -- find the ones for your IOS Versions. Here are the links to 12.4T
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
Cisco IOS Security Configuration Guide: Securing the Control Plane, Release 12.4T
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
That should get you started on securing your router(s).
Now about your switch security.....
:mike: Cisco Certifications -- Collect the Entire Set! -
Options
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
The NSA and SANs guides for securing Cisco Routers have been around for a while and are good starting points.
Under the Cisco Router Guides section on the NSAs Current Security Configuration Guides web page you'll find the Router Security Configuration Guide, Executive Summary PDF which will get you started quickly -- and then the complete Router Security Configuration Guide, Release 1.1c PDF which should take you a bit longer to page through.
The SANs Cisco Router Hardening Step by Step PDF is here
Then you'd want to head over to the Cisco web site and peruse the Cisco Guide to Harden Cisco IOS Devices web page. You can also grab a PDF copy from that page. A lot of the basics should look familiar from the NSA and SANs guides, but you should find some newer tidbits included in the Cisco web page.
You can also grab some popcorn and watch the 20 minute video on Hardening Cisco IOS Devices on the Cisco Learning Network. You'll have to log in to view (registration is free).
Then if you're still paranoid about security you can hit up the big boy security documents -- find the ones for your IOS Versions. Here are the links to 12.4T
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
Cisco IOS Security Configuration Guide: Securing the Control Plane, Release 12.4T
Cisco IOS Security Configuration Guide: Securing the Data Plane, Release 12.4T
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
That should get you started on securing your router(s).
Now about your switch security.....
Hey mike do you think the links you provided along with an old SNRS book would be enough for the R part of the SNRS? -
Optionsmikej412
Member Posts: 10,086 ■■■■■■■■■■
At the professional level it's always good to check out the exam blueprint and hunt down the relevant Cisco Docs. Just a quick glance at the SNRS blueprint topics (huh? The SECURE exam is available October 2010 and SNRS went away April 2010?) and I'd say the Cisco Docs more than cover the exam topics -- the fun part is finding what you need without just reading all the documents.Bl8ckr0uter wrote: »Hey mike do you think the links you provided along with an old SNRS book would be enough for the R part of the SNRS?
I'm guessing since the Cisco Certifications Exam web page is showing 4 new CCSP exams available October 8th (SECURE v1, FIREWALL v1, VPN v1, and IPS v7) and showing some of the exams (SNRS, SNAF, SNAA) already went away last April and some are going away in 2011 (IPS v6, MARS, CANAC, etc) there are changes coming to the CCSP (and typos on that page) :mike: Cisco Certifications -- Collect the Entire Set! -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
At the professional level it's always good to check out the exam blueprint and hunt down the relevant Cisco Docs. Just a quick glance at the SNRS blueprint topics (huh? The SECURE exam is available October 2010 and SNRS went away April 2010?) and I'd say the Cisco Docs more than cover the exam topics -- the fun part is finding what you need without just reading all the documents.
I'm guessing since the Cisco Certifications Exam web page is showing 4 new CCSP exams available October 8th (SECURE v1, FIREWALL v1, VPN v1, and IPS v7) and showing some of the exams (SNRS, SNAF, SNAA) already went away last April and some are going away in 2011 (IPS v6, MARS, CANAC, etc) there are changes coming to the CCSP (and typos on that page)
They changed the exams? Oh man. Many we can get some BOOKS now lol.
CCNP security. I don't like the name but maybe having "CCNP" in it will make it "known". I really want to do it, my company doesn't use ASAs but I think I would benefit from studying the SNRS (or SECURE) material.
I was looking for more info about CCNP security and I found this:
May 14, 2001 - CCNP Specializations - IT Certification and Career Paths - Cisco Systems
I didn't know at one point all the certs were named CCNP. I wonder why they changed it... -
Optionsmikej412
Member Posts: 10,086 ■■■■■■■■■■
I'm heading over to the http://www.techexams.net/forums/ccsp/58535-ccsp-certification-changes.html thread to answer rather than go off topic in this oneBl8ckr0uter wrote: »CCNP security. :mike: Cisco Certifications -- Collect the Entire Set! -
OptionsRS_MCP
Member Posts: 352
jason_lunde wrote: »Hey man,
Just for starters you might get an acl inbound on that outside interface ASAP. Then I would enable AAA, and create a username/secret and and enable secret. Protect your config by getting rid of those pw 7's. That will get you going...then look at disabling unnecessary services, etc...
"Just for starters you might get an acl inbound on that outside interface ASAP"
What do you mean? -
Optionspeanutnoggin
Member Posts: 1,096 ■■■□□□□□□□
"Just for starters you might get an acl inbound on that outside interface ASAP"
What do you mean?
Typically on your internet facing link, you'd want some ACLs to block things such as RFC1918 addresses, multicast addresses, BOGON addresses, etc... your ISP may take care of this, but it never hurts to put that in place. HTH.
-PeanutWe cannot have a superior democracy with an inferior education system!
-Mayor Cory Booker -
OptionsBl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
Just use AutoSecure.
j/k!
You may actually want to review autosecure and implement some of its features (not automatically but manually).
Cisco AutoSecure White Paper [Cisco IOS Network Foundation Protection (NFP)] - Cisco Systems
