Automate security configurations with Cisco IOS 12.3

Locking down Cisco routers can be more complicated and cumbersome than securing other systems. However, the new auto secure feature in Cisco's IOS 12.3 can help admins get a jump on securing their routers. Take a look at what it can do.

The new Cisco Internetwork Operating System (IOS) version 12.3 contains a very useful feature that allows administrators to automate a number of security functions.

Of course, people love anything automatic. We have automatic transmissions in many of our cars, we can set automatic replies to e-mail messages when we are out of the office, and we can automatically pay our bills with an online banking service. So, if those things can be automated, can you automate Cisco router security? Let's take a look.

What is automatic security?
Let me start by explaining that security is a continual process and not something that is done once. You are never finished securing your network. Cisco developed the Security Posture Assessment Process that uses the Security Wheel to illustrate automatic security, as shown in Figure A.

Figure A

The automatic security offered by IOS 12.3 only fits into the Secure part of the wheel. The other three processes of the wheel must still be done manually. Nevertheless, automating the security of a router can be very handy for network administrators.

If you don't already know exactly how your Cisco routers should be secured or you would like an overview of it, here are three excellent resources that every Cisco network administrator should be familiar with:

Running auto secure
I'm going to start off with a Cisco 2610 router running IOS 12.3(1a). Listing A shows the starting configuration.

As you can see, this router has the default configuration with the exception of the IP addresses on the Ethernet and serial interfaces. To automate security, you'll run the command auto secure from an enabled exec prompt, like this:
router# auto secure

From here, you'll be told that auto secure configuration enhances the security of the router but it won't make your router absolutely secure from all security attacks. You'll be asked if you have any interfaces that connect to the Internet. If you do, you must specify them. Next, unneeded IP services must be disabled, and you'll be asked to configure a security banner. You'll then be prompted to configure a local user and enable a password; then, AAA security will be configured. You'll also be prompted as to whether you want to configure Secure Shell (SSH).

Then, the IANA reserved networks and private address space will be denied on your Internet interface. The wizard will ask if you want to configure the IOS Firewall (aka the Context Based Access Control [CBAC]). Finally, you'll be shown the newly created configuration and asked if you want to apply it. However, I won't include the entire text of the process in this article, because it's very long. After I completed this process, my running configuration looked like what's shown in Listing B.

As you can see from the resulting configuration, there was a huge change in the configuration. To see only the configuration that auto secure generated, you can issue the command show auto secure config.

You should note that there is no way to undo the configuration that auto secure applies. So once these commands are put on a router; they would have to be removed one by one, or the configuration would have to be wiped clean. I would highly recommend against running auto secure on a production router without testing, because you don't know the ramifications of applying these commands on the production router and you don't know how these commands would interact with the configuration that is already in place. I recommend applying auto secure to a test router and then copying and pasting the applicable commands over to the configuration of a production router.

Surprising results
I was quite surprised with all that auto secure could do. I had expected it to be a simple script that would just: disable unneeded (or known to be insecure) IP services; enforce passwords to be on console, aux, and vty ports; and access enable mode. Auto secure went beyond my expectations and provided some nice security configurations that can save an administrator a lot of time and provide a little education on how to best lock down Cisco routers.

Does auto secure really automate router security? In my opinion: yes—to some degree. At a minimum, auto secure assisted in automating router security. As complicated as router security has gotten today, any effective tools will be appreciated by network security administrators.

Other Cisco IOS 12.3 features
Some other fascinating features of Cisco IOS 12.3 are:
security passwords min-length—This command is used by auto secure but can also be used by itself. Its use is fairly self-explanatory. The default is to make passwords a minimum of six characters. So this would prevent you from configuring the most well-known Cisco password, cisco.
securityauthentication failure-rate—This is the number of repetitive failed login attempts before a login 15-second delay kicks in. The default is 10, but this can be tightened. A useful option of this is the log option. With this option, if the max is exceeded, it causes a delay, and an entry will go to the router buffered log, console, or syslog (depending on your configuration).
autoqos—This is similar to auto secure but for configuring quality of service for voice over IP on a router.
do—Network administrators will rejoice over this command. The do command allows you to execute enable-level commands from the global config or interface config prompts. No longer do you have to exit all the way back to enable level to do a show ip interface brief and then config t and interface e0/0 just to check the current IP address of an interface while in interface config mode. For instance, if you wanted to check the amount of RAM in your router from a router(config-line)# prompt, simply type do show version.
kron—This is a new command scheduler on IOS routers. The idea (and name) are copied from the UNIX cron.
AES—Advanced Encryption Standard offers a 256-bit encryption key. This is for traffic that absolutely, positively, must be delivered securely.
There are, literally, hundreds of new features in IOS 12.3. I have just touched the surface. I encourage you to take a look at the Cisco IOS 12.3 new features release notes.


Editor's Picks