Professional Documents
Culture Documents
1-800-COURSES
www.globalknowledge.com
Introduction
Security of the network is a top priority for companies. Of course, this would include securing Cisco routers. It may be surprising to some that Cisco routers run many services that could create vulnerabilities. Some of these services are enabled by default. This white paper lists a number of the services that should be disabled and why. Additionally, some best practices for securing your Cisco routers are defined. This is not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulnerabilities, nor of all best practices for configuring Cisco routers. There are several Cisco security courses that cover this information in depth. Rather, this paper is meant to be a vehicle for discussion regarding the security of Cisco routers.
BOOTP server
This allows a router to act as a BOOTP server for other routers; thereby allowing them to load their operating system over the network from the router acting as the BOOTP server. A hacker could use the BOOTP service to download a copy of the routers IOS software. The tools for this type of attack are available on the Internet. If not required, the BOOTP service should be disabled. The following global command can be used to disable BOOTP: no ip bootp server.
feature could allow a hacker to gain information about the configuration of the device and of the network infrastructure. If not needed, it should be disabled globally or on an interface by interface basis. CDP can be disabled globally with the no cdp run command and on the interface with the no cdp enable command. CDP needs to be enabled when using Cisco IP phones. If it has been disabled globally on the switch, it can be enabled on the interface using the cdp enable command. There are several known attacks on the Cisco IP Phone CDP feature, so it is a decision for each network administrator to determine the risk versus the obvious benefits of CDP to support Cisco IP Telephony solutions.
IP Source Routing
IP source routing is a feature whereby a network packet can specify how it should be routed through the network. IP source routing can allow a hacker to specify a route for a network packet to follow, possibly to bypass a Firewall or an Intrusion Detection System (IDS). A hacker could also use source routing to capture network traffic by routing it through a system controlled by the attacker. A hacker would have to control either a routing device or an end point device in order to modify a packets route through the network. However, tools are available on the Internet that would allow a hacker to specify source routes. Tools are also available to modify network routing using vulnerabilities in some routing protocols. This can be disabled using the global command: no ip source-route.
Finger Service
Finger service allows a hacker to find out who is logged into the router and allows them to find out valid login names. The information they could access includes the processes running on the system, the line number, connection name, idle time, and terminal location. This information is provided through the Cisco IOS software show users EXEC command. Unauthorized persons can use this information for reconnaissance attacks. This service can easily be disabled using the global command: no service finger or no ip finger (depending on the version of code). This command keeps your router from replying to finger requests. In addition to this command, an inbound access list that blocks port 79 should be applied.
Proxy ARP
This feature configures the router to act as a proxy for Layer 2 address resolution when hosts have no default gateway configured. When a host sends an ARP, the router responds to it with its own mac address as the one to use for the remote system. When DHCP is being used, there is no need to have Proxy ARP enabled. Attackers may be able to spoof packets and gather information about your router and your network. Proxy ARP can be disabled on the interface with the following command: no ip proxy-arp.
IP Directed Broadcast
This is enabled by default prior to Cisco IOS software Release 12.0 and disabled by default in release 12.0 or later. IP-directed broadcasts are used in the smurf denial of service (DoS) attack and other related attacks.
TFTP Server
The TFTP server enables you to use your router as a TFTP server for TFTP clients. It allows access to certain files in your Flash memory. This service should remain disabled if not required.
TCP keepalives
TCP keepalives help terminate TCP connections where a remote host has rebooted or otherwise stopped processing TCP traffic. This connection could become orphaned, and a hacker could attempt a DoS attack against a Cisco router by exhausting the number of possible connections. TCP keepalives should be enabled globally to confirm that a remote connection is valid and, if not, terminate any orphaned connections. This can be configured from global configuration mode service tcp-keepalives-in.
Router Interfaces
Unused router interfaces should be disabled to limit unauthorized access to the router and to the network.
Connection Timeout
Connection timeouts can be configured for console ports, auxiliary ports, and VTY lines. If an administrator does not correctly terminate the connection, it will automatically close after the timeout expires. However, if a timeout is not configured, or is configured to be a long timeout, an unauthorized user may be able to gain access using the administrators previously logged-in connection. The attacker would have to gain physical access to the device to use the console port. A default timeout of 10 minutes is configured on the router console port.
Software Version
It is extremely important that software be regularly maintained with patches and upgrades in order to help mitigate the risk of a hacker exploiting a known software vulnerability.
Auxiliary Port
The auxiliary ports primary purpose is to provide remote administration capability. It can allow a remote administrator to use a modem to dial into the Cisco device. If not in use, the auxiliary port exec should be disabled. This can be done with the no exec command on the aux port:. If the auxiliary port is required for remote administration, the callback feature can be configured to dial a specific preconfigured telephone number for additional security.
If a malicious user were to see a Cisco configuration that contained clear-text passwords, they could use the passwords to access the device. Cisco password encryption service should be enabled. The Cisco password encryption service can be started with the following Cisco global command: service password-encryption. Even though these passwords can be easily decrypted with tools available on the Internet, they are still more secure than clear-text passwords. In addition, the encryption prevents an unauthorized person from looking over an administrators shoulder and reading the passwords in clear-text.
Summary
All of the potential vulnerabilities listed in this paper can be real threats to Cisco routers. An awareness of these threats will be instrumental in securing your Cisco routers. Again, this was not intended to be an exhaustive listing of all services enabled on Cisco routers that could create vulnerabilities, nor of all best practices for configuring Cisco routers. The intent of this paper has been for it to be a vehicle for discussion regarding the security of those routers.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: CCNA Boot Camp v2.0 ISCW Implementing Secure Converged Wide Area Networks IINS Implementing Cisco IOS Unified Communications CCDA Boot Camp For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs.
References
Akin, Thomas. Cisco Router Device Router Security Report. Akin, Thomas. Hardening Cisco Routers. OReilly Media, Inc. Sebastopol, CA. 2002. Akin, Thomas. Implementing Security Wide Area Networks.