With the almost constant inundation of security warnings, now is a good time to review standard Cisco router security. First of all, for those with high-security needs, it’s always a good idea to use a dedicated, specialized firewall device. Cisco provides the PIX firewall for just such an application. It also offers an add-on firewall feature set for its IOS software that provides extra security options. There are several well-known and trusted firewall vendors that provide secure, high-performance solutions as well. These solutions generally come with a significant price tag, though. Many security consultants would say that price is not the issue, and I tend to agree. But try telling that to your small-business clients, who don’t suffer from deep-pocket syndrome. In these cases, it is usually necessary for the Internet router to be as secure as possible. To that end, I’ll be describing some methods that can be used to achieve this.
The following examples assume a standard, vanilla version of Cisco IOS 12.x.
Secure router interfaces
Let’s start by securing the router access interfaces. The interface we are most concerned about is the VTY line used for Telnet access across the network. I don’t recommend allowing Telnet access to the router from outside your local network unless it occurs via an encrypted session. You may find this a little limiting, especially if you’re getting support from an outside vendor. If so, you may want to grant limited access via the outside interface to only specific addresses. If you choose to do this, there are several tasks to be completed. The first thing you’ll want to do is restrict Telnet access. Then, you’ll want to assign a password to the VTY lines:
Inet-rtr (config)# access-list 1 permit 126.96.36.199
Inet-rtr (config)# line vty 0 4
Inet-rtr (config-line)# password 7 xxxxxx
Inet-rtr (config-line)# login
Inet-rtr (config-line)# access-class 1 in
Other ports to consider are the console and auxiliary ports. The console access is used for physically connecting to the router, and the auxiliary (AUX) port is generally used for modem access. You can secure these ports with passwords, or you can physically secure access to the router. Actually, doing both wouldn’t be a bad idea. You’ll also want to configure an enable secret password.
Securing the external interface
Since the external interface is considered the most vulnerable point of entry, we definitely want to restrict the traffic that can enter. We do this with access lists. In this case, we’ll be using extended access lists. There are several kinds of traffic we want to allow; everything else will be denied. This access list would be applied on the inbound of the outside interface:
access-list 101 deny ip 172.16.222.0 0.0.0.255 any
access-list 101 deny ip host 188.8.131.52 any
These two statements above are for antispoofing. They keep out packets that are masquerading with addresses from our internal network, as well as the outside interface address on our router.
access-list 101 permit tcp any any established
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
The statements above permit only packets that were initiated by internal sessions; they restrict packets from the reserved, private address space designated by RFC. You’ll also want to limit packets that appear to be coming from the localhost loopback address, broadcast addresses, and multicast addresses, as follows:
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
access-list 101 deny ip 184.108.40.206 220.127.116.11 any
Then, there’s always the issue of ICMP traffic. It’s nice when users can ping sites outside your network and receive responses. There are other types of ICMP traffic that you may also want to allow.
You’ll want to allow SMTP e-mail traffic, but only to internal e-mail servers.
Another kind of traffic you’ll want to allow through is DNS:
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
I also recommend that you log all traffic that matches the restrictions in your access lists. You can do this by adding the log parameter to the end of your access list statements. This also requires a logging server to store the log files.
Turn off unnecessary services and features
It’s always a good idea to lower your exposure on an Internet boundary device, whether it’s a firewall, router, or other edge system. In an effort to do so, it’s recommended that you disable all unnecessary features. The following is a list of features to consider:
no cdp run
no service finger
no ip source-route
no ip directed-broadcast
service timestamps debug datetime
service timestamps log datetime
no service udp-small-servers
no service tcp-small-servers
no ip http server
First, we disable Cisco Discovery Protocol (CDP) on the external interface. It’s a great feature to use internally, but you don’t want to allow outside sources to access CDP information about your router or network. The reason for disabling finger is much the same. Source routing and directed broadcasts should always be disabled unless there is a specific need for these features. Configuring debug logging will allow you to track down router messages. The next statements pertain to minor services but are generally recommended for the disable list. The last statement will shut down the HTTP server facility on the router, which is always a good idea.
Although a router is not a true firewall, it can be secured to a great degree against the prying eyes of outsiders. The measures I’ve mentioned here should by no means be considered a complete security solution. These are mostly well-known methods that block the larger holes. You’ll want to check the Cisco Web site for current security information regarding your router model and IOS version. Again, those who require a higher level of security can purchase turnkey solutions from other vendors that are specifically designed to handle nearly all security needs.