Saturday, September 14, 2013

Cisco IOS Device Hardening

I've decided to dedicate a separate blog describing my lab and journal its upgrade. I've started to realize the value of owning real network equipment as opposed to doing remote lab or GNS3 emulation. It teaches me the intricacies of networking and a deep understanding of the technology. This also trains me to become better in network design and physical troubleshooting, which is needed if someone wants to attempt any CCIE lab exam.

I'm halfway through with FIREWALL and beginning to miss routing and switching. So I've spent a night trying to secure my 871w router. This would also serve as my CCNA Security 101 review.

Device hardening is an essential task that a networking professional must never overlook. It involves implementing methods for securing the router's administrative access using the command-line interface (CLI) as well as the web graphical user interface (GUI).

Some of these methods involve securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Because not all networking personnel should have the same level of access to devices, defining administrative roles is another important aspect of securing infrastructure devices.

Many of the router services are enabled by default for historical (legacy) reasons but are no longer required in today's network. Securing the management and reporting features of Cisco IOS device is also important.


Minimum Character Length

It is strongly recommended that the minimum password length be set at least 10 characters to eliminate common passwords that are short and prevalent on most networks, such as "lab" and "cisco."

871W(config)#security passwords min-length ?
  <0-16>  Minimum length of all user/enable passwords
871W(config)#security passwords min-length 10
871W(config)#enable secret cisco
% Password too short - must be at least 10 characters. Password not configured.


Disable Unattended Connections

By default, a login session stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session.

871W(config-line)#exec-timeout ?
  <0-35791>  Timeout in minutes

871W(config-line)#exec-timeout 5


Encrypt All Passwords

By default, some passwords are shown in plaintext in the Cisco IOS software configuration. With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command.

This is a weak encryption (type 7) and it is primarily used to prevent someone from doing a "shoulder surf" while the you're logged in to a device.

871W#show running-config
Building configuration...

Current configuration : 513 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname 871W
!
!
!
enable password ciscocisco


871W#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
871W(config)#service password-encryption
871W(config)#end

%SYS-5-CONFIG_I: Configured from console by console
871W#show running-config
Building configuration...

Current configuration : 537 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
service password-encryption
!
hostname 871W
!
!
!
enable password 7 0822455D0A16



Configuring Enhanced Security for Virtual Logins

The Cisco IOS login enhancements feature provides more security when creating a virtual connection, such as Telnet, SSH or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters:

    * Delays between successive login attempts

    * Login shutdown if DoS attacks are suspected

    * Generation of system logging messages for login detection

871W(config)#login ?
  block-for   Set quiet-mode active time period
  delay       Set delay between successive fail login
  on-failure  Set options for failed login attempt
  on-success  Set options for successful login attempt
  quiet-mode  Set quiet-mode options

871W(config)#login block-for ?
  <1-65535>  Time period in seconds

871W(config)#login block-for 30 ?
  attempts  Set max number of fail attempts

871W(config)#login block-for 30 attempts 5 ?
  within  Watch period for fail attempts

871W(config)#login block-for 30 attempts 5 within ?
  <1-65535>  Time period in seconds

871W(config)#login block-for 30 attempts 5 within 60
871W(config)#login quiet-mode ?
  access-class  Set access class

871W(config)#login quiet-mode access-class ?
  <1-199>      IP access list
  <1300-2699>  IP expanded access list
  WORD         Access-list name

871W(config)#login quiet-mode access-class 10
871W(config)#login delay ?
  <1-10>  Time period in seconds

871W(config)#login delay 5
871W(config)#login on-success log
871W(config)#login on-failure log
871W(config)#do show login
     A login delay of 5 seconds is applied.
     Quiet-Mode access list 10 is applied.
     All successful login is logged.
     All failed login is logged.

     Router enabled to watch for login Attacks.
     If more than 5 login failures occur in 60 seconds or less,
     logins will be disabled for 30 seconds.

     Router presently in Normal-Mode.
     Current Watch Window
         Time remaining: 37 seconds.
         Login failures for current window: 0.
     Total login failures: 0.

871W(config)#do terminal monitor
871W(config)#
*May 19 23:10:17.402 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: asdf] [Source: 192.168.1.11] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 23:10:17 UTC Wed May 19 2010
871W(config)#
*May 19 23:10:25.151 UTC: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: asdf] [Source: 192.168.1.11] [localport: 23] [Reason: Login Authentication Failed - BadUser] at 23:10:25 UTC Wed May 19 2010
871W(config)#
*May 19 20:10:09.241 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: admin] [Source: 192.168.1.12]  [localport: 23] at 20:10:09 UTC Wed May 19 2010
871W(config)#do show login failures
Total failed logins: 2
Detailed information about last 50 failures

Username        SourceIPAddr    lPort Count TimeStamp
asdf            192.168.1.12    23    2     20:12:03 UTC Wed May 19 2010


Banner

A device banner is generally used to warn users against unauthorized access attempts, display maintenance-related information or reminders for all administrators.

Tokens are optional and can be used within the banner message:

$(hostname) - Displays the host name for the router

$(domain) - Displays the domain name for the router

$(line) - Displays the vty or tty (asynchronous) line

$(line-desc) - Displays the description that is attached to the line


871W(config)#banner ?
  LINE            c banner-text c, where 'c' is a delimiting character
  exec            Set EXEC process creation banner
  incoming        Set incoming terminal line banner
  login           Set login banner
  motd            Set Message of the Day banner
  prompt-timeout  Set Message for login authentication timeout
  slip-ppp        Set Message for SLIP/PPP

871W(config)#banner login # This equipment $(hostname) is privately owned and access is logged. Disconnect immediately if you are not an authorized user. Violators will be prosecuted to the fullest extent of the law. #


No comments:

Post a Comment