Advanced Cisco Router Security

Ok, i got to speak a little bit about advanced cisco router security settings. I had been configuring cisco devices since 2002 and when i looked back, i realised that my configuration is not secure at all. There are so many loopholes here and there hanging around. If an attacker were to use a port scanner, then he would be able to actually see all the open ports and services that is present in the router. That's a bad bad configuration by me. Well, every man make mistakes and learn from there onwards. Its 2007 and well, i had learnt my mistakes the hard way, so here is the improve sample configuration from me. However, please note that they are not in order.

1. Practice logging There are a lot of way to perform logging. You can use AAA, syslog and system logging which includes console and vty logins.

2. Use an Authentication Proxy if required If you have an internal server which requires login, you can setup an authentication proxy to make sure users authenticte with the router first before the traffic is allowed into the server. Make sure you setup either a local database or an AAA server for verification of user credentials. This will depend on each organization.

3. Disable Unnecessary services This point here is very important. Never allow services like finger, telnet or snmp if not required. Multiple exploits have been published that can actually compromise the router. So, review your router and check for unwanted services and shut it down.

4. Retrict Access Restrict access like VTY, console, ssh, telnet, etc. I will not mention much about this as it is mentioned with configuration examples in my earlier post.

5. Use autosecure. You can use the auto secure command in in IOS version 12.3 onwards to actually implement router security. This command will enable you to disable CDP finger if not needed. Use this command if you do not know how to configure it manually.

6. Enable the IPS in your router Modern Cisco routers comes with IPS included in the IOS. Enabled it. With IPS enabled, you can log the specific event to a server or drop the packets or forward it to the destination with a reset bit set, if your configuration suspects that this is an attack.

7. Use CBAC This feature allow monitoring of layer 7 protocol like HTTP and FTP. This feature will actually create a session table entry for any connection from any internal users which initiates a connection to the outside world. CBAC can inspect unusual behaviour drop the connection.

8.Use port-to-address mapping (PAM) Use this feature to map to a different port for known services. For example, http runs on port 80, you can actually map it to port 9090. This feature blends well with CBAC.