4.2. Router Network Service Security
Cisco routers support a large number of network services at layers 2, 3, 4, and 7, Some of
these services can be restricted or disabled, improving security without degrading the
operational use of the router. Some of these services are application layer protocols that allow
users and host processes to connect to the router. Others are automatic processes and settings
intended to support legacy or specialized configurations but which are detrimental to security.
As stated in Section 3, general security practice for routers should be to support only traffic
and protocols the network needs; most of the services listed below are not needed.
Turning off a network service on the router itself does not prevent it from supporting a
network where that protocol is employed. For example, a router may support a network where
the bootp protocol is employed, but some other host is acting as the bootp server. In this case,
the router’s bootp server should be disabled.
In many cases, Cisco IOS supports turning a service off entirely, or restricting access to
particular network segments or sets of hosts. If a particular portion of a network needs a
service but the rest does not, then the restriction features should be employed to limit the
scope of the service.
Turning off an automatic network feature usually prevents a certain kind of network traffic
from being processed by the router or prevents it from traversing the router. For example, IP
source routing is a little-used feature of IP that can be utilized in network attacks. Unless it is
required for the network to operate, IP source routing should be disabled.
4.2.1. Typical Services, Required Services, and Security Risks
The table below lists some of the services offered on Cisco IOS 11.3, 12.0, and later versions.
This list has been kept short by including only those services and features that are securityrelevant
and may need to be disabled.
Table 4-1: Overview of IOS Features to Disable or Restrict
4.2.2. How to Disable Unneeded Features and Services
Each sub-section below describes how to disable or restrict particular services and features
under Cisco IOS 11.3 and 12.
CDP
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each
other on a LAN segment. It is useful only in specialized situations, and is considered
deleterious to security. To turn off CDP entirely, use the commands shown below in global
configuration mode.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no cdp run
Central(config)# exit
Central# show cdp
% CDP is not enabled
Central#
In the unlikely event that CDP is needed for part of a network, it can be enabled and disabled
for each interface. To enable CDP use the cdp run command in global configuration mode,
and then disable it on each interface where it is not needed using the no cdp enable command
in interface configuration mode.
TCP and UDP Small Servers
The TCP and UDP protocol standards include a recommended list of simple services that
hosts should provide. In virtually all cases, it is not necessary for routers to support these
services, and they should be disabled. The example below shows how to test whether the TCP
small servers are running, and how to disable the TCP and UDP small servers.
Central# ! if connect succeeds, then tcp-small-servers are enabled
Central# connect 14.2.9.250 daytime
Trying 14.2.9.250, 13 ... Open
Monday, April 3, 2000 11:48:39-EDT
[Connection to 14.2.9.250 closed by foreign host]
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no service tcp-small-servers
Central(config)# no service udp-small-servers
Central(config)# exit
Central# connect 14.2.9.250 daytime
Trying 14.2.9.250, 13 ...
% Connection refused by remote host
Central#
72 Version 1.1c
Advanced Security Services
Finger Server
The IOS finger server supports the Unix ‘finger’ protocol, which is used for querying a host
about its logged in users. On a Cisco router, the show users command may be used to list the
logged in users. Typically, users who are not authorized to log in to the router have no need to
know who is logged in. The example below shows how to test and disable the finger server.
Central# connect 14.2.9.250 finger
Trying 14.2.9.250, 79 ... Open
This is the CENTRAL router; access restricted.
Line User Host(s) Idle Location
130 vty 0 14.2.9.6 00:00:00 goldfish
*131 vty 1 idle 00:00:00 central
[Connection to 14.2.9.250 closed by foreign host]
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no ip finger
Central(config)# no service finger
Central(config)# exit
Central# connect 14.2.9.250 finger
Trying 14.2.9.250, 79 ...
% Connection refused by remote host
Central#
HTTP Server
Newer Cisco IOS releases support web-based remote administration using the HTTP
protocol. While the web access features are fairly rudimentary on most Cisco router IOS
releases, they are a viable mechanism for monitoring, configuring, and attacking a router. If
web-based remote administration is not needed, then it should be disabled as shown below.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no ip http server
Central(config)# exit
Central# connect 14.2.9.250 www
Trying 14.2.9.250, 80 ...
% Connection refused by remote host
Central#
Web-based remote administration is useful primarily when intervening routers or firewalls
prevent use of Telnet for that purpose. However, it is important to note that both Telnet and
web-based remote administration reveal critical passwords in the clear. Further, web-based
administration imposes the requirement that users log in at full (level 15) privilege. Therefore,
web-based remote administration should be avoided. If web-based administration is examined
and found necessary for network operations, then its use should be restricted as follows.
Version 1.1c 73
Router Security Configuration Guide
• Set up usernames and passwords for all administrators, as discussed in Section 4.1. The
router’s web server will use HTTP basic authentication to demand a username and password
(unfortunately, Cisco IOS does not yet support the superior HTTP digest authentication
standard). If possible, use AAA user access control as described in Section 4.6; AAA will
give more control and better audit.
• Create and apply an IP access list to limit access to the web server. Access lists are
described in Section 4.3.
• Configure and enable syslog logging as described in Section 4.5.2.
The example below illustrates each of these points. Administrators will be allowed to connect
from the 14.2.9.0 network and the host 14.2.6.18 only.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# ! Add web admin users, then turn on http auth
Central(config)# username nzWeb priv 15 password 0 C5-A1rCarg0
Central(config)# ip http auth local
Central(config)# ! Create an IP access list for web access
Central(config)# no access-list 29
Central(config)# access-list 29 permit host 14.2.6.18 log
Central(config)# access-list 29 permit 14.2.9.0 0.0.0.255 log
Central(config)# access-list 29 deny any log
Central(config)# ! Apply the access list then start the server
Central(config)# ip http access-class 29
Central(config)# ip http server
Central(config)# exit
Central#
If possible, protect the HTTP traffic by setting up IPSec, as described in Section 5.2. (Some
recent versions of IOS can support SSL (HTTPS) for protecting administrative HTTP traffic.
HTTPS is better than plain HTTP, but IPSec is preferred. This guide does not provide
instructions on configuring SSL, consult the Cisco IOS documentation.)
Bootp Server
Bootp is a datagram protocol that is used by some hosts to load their operating system over
the network. Cisco routers are capable of acting as bootp servers, primarily for other Cisco
hardware. This facility is intended to support a deployment strategy where one Cisco router
acts as the central repository of IOS software for a collection of such routers. In practice,
bootp is very rarely used, and offers an attacker the ability to download a copy of a router’s
IOS software. To disable bootp service, use the commands shown below.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no ip bootp server
Central(config)# exit
74 Version 1.1c
Advanced Security Services
Configuration Auto-Loading
Cisco routers are capable of loading their startup configuration from local memory or from
the network. Loading from the network is not secure, and should be considered only on a
network that is wholly trusted (e.g. a standalone lab network). Explicitly disable loading the
startup configuration from the network using the commands shown below.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# no boot network
Central(config)# no service config
Central(config)# exit
Central#
PAD Service
The packet assembler/disassembler (PAD) service supports X.25 links. This service is on by
default, but it is not needed unless your router is using X.25. Disable it from global
configuration mode as shown below.
Central(config)# no service pad
Central(config)#
IP Source Routing
Source routing is a feature of IP whereby individual packets can specify routes. This feature is
used in several kinds of attacks. Cisco routers normally accept and process source routes.
Unless a network depends on source routing, it should be disabled on all the net’s routers. The
example below shows how to disable IP source routing.
Central(config)# no ip source-route
Central(config)#
Proxy ARP
Network hosts use the Address Resolution Protocol (ARP) to translate network addresses into
media addresses. Normally, ARP transactions are confined to a particular LAN segment. A
Cisco router can act as intermediary for ARP, responding to ARP queries on selected
interfaces and thus enabling transparent access between multiple LAN segments. This service
is called proxy ARP. Because it breaks the LAN security perimeter, effectively extending a
LAN at layer 2 across multiple segments, proxy ARP should be used only between two LAN
segments at the same trust level, and only when absolutely necessary to support legacy
network architectures.
Cisco routers perform proxy ARP by default on all IP interfaces. Disable it on each interface
where it is not needed, even on interfaces that are currently idle, using the interface
configuration command no ip proxy-arp . The example below shows how to disable proxy
ARP on four Ethernet interfaces.
Version 1.1c 75
Router Security Configuration Guide
Central# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 14.1.15.250 YES NVRAM up up
Ethernet0/1 14.2.9.250 YES NVRAM up up
Ethernet0/2 unassigned YES unset down down
Ethernet0/3 unassigned YES unset down down
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface eth 0/0
Central(config-if)# no ip proxy-arp
Central(config-if)# exit
Central(config)# interface eth 0/1
Central(config-if)# no ip proxy-arp
Central(config-if)# exit
Central(config)# interface eth 0/2
Central(config-if)# no ip proxy-arp
Central(config-if)# exit
Central(config)# interface eth 0/3
Central(config-if)# no ip proxy-arp
Central(config-if)# end
Central#
IP Directed Broadcast
Directed broadcasts permit a host on one LAN segment to initiate a physical broadcast on a
different LAN segment. This technique was used in some old denial-of-service attacks, and
the default Cisco IOS configuration is to reject directed broadcasts. Explicitly disable directed
broadcasts on each interface using the interface configuration command no ip directedbroadcast
as shown in the example in the next subsection.
IP Unreachables, Redirects, Mask Replies
The Internet Control Message Protocol (ICMP) supports IP traffic by relaying information
about paths, routes, and network conditions. Cisco routers automatically send ICMP messages
under a wide variety of conditions. Three ICMP messages are commonly used by attackers
for network mapping and diagnosis: ‘Host unreachable’, ‘Redirect’, and ‘Mask Reply’.
Automatic generation of these messages should be disabled on all interfaces, especially
interfaces that are connected to untrusted networks. The example below shows how to turn
them off for an interface.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface eth 0/0
Central(config-if)# no ip unreachables
Central(config-if)# no ip redirects Central(config-if)# no ip mask-reply
Central(config-if)# no ip directed-broadcast
Central(config-if)# end
Central#
76 Version 1.1c
Advanced Security Services
MOP
The Maintenance Operations Protocol (MOP) was used for system utility services in the
DECnet protocol suite. It is enabled by default on Ethernet interfaces in some versions of
IOS. Disable it on each Ethernet interface as shown below.
Central(config)# interface eth 0/0
Central(config-if)# no mop enabled
Central(config-if)# end
NTP Service
Cisco routers and other hosts use the Network Time Protocol (NTP) to keep their time-of-day
clocks accurate and in synchrony. If possible, configure all routers as part of an NTP
hierarchy, as described in Section 4.5. If NTP services are not available on the network, then
disable NTP as shown below.
North# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 14.2.10.20 YES NVRAM up up
Ethernet1/0 14.1.1.250 YES NVRAM up up
North# config t
Enter configuration commands, one per line. End with CNTL/Z.
North(config)# interface eth 0/0
North(config-if)# ntp disable
North(config-if)# exit
North(config)# interface eth 1/0
North(config-if)# ntp disable
North(config-if)# end
North#
Disabling NTP on an interface will not prevent NTP messages from traversing the router. To
reject all NTP messages at a particular interface, use an access list, as discussed in Section
4.3.
SNMP Services
The Simple Network Management Protocol (SNMP) is the standard Internet protocol for
automated remote monitoring and administration. There are several different versions of
SNMP, with different security properties. If a network has a deployed SNMP infrastructure in
place for administration, then all routers on that network should be configured to securely
participate in it. In the absence of a deployed SNMP scheme, all SNMP facilities on all
routers should be disabled using these steps:
• Explicitly unset (erase) all existing community strings.
• Disable SNMP system shutdown and trap features.
• Disable SNMP system processing.
The example below shows how to disable SNMP by implementing these recommendations. It
starts with listing the current configuration to find the SNMP
Version 1.1c 77
Router Security Configuration Guide
community strings; note that SNMP must be enabled in order for the SNMP community
strings to appear in the configuration listing. The configuration listing is often quite long, so
you may want to use IOS output filtering to display only the lines related to SNMP (under
IOS 12.0 and earlier, you must simply list the entire configuration and inspect it visually).
Central# show running-config include snmp
Building configuration...
snmp-server community public RO
snmp-server community admin RW
Central#
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# ! erase old community strings
Central(config)# no snmp-server community public RO
Central(config)# no snmp-server community admin RW
Central(config)#
Central(config)# ! disable SNMP trap and system-shutdown features
Central(config)# no snmp-server enable traps
Central(config)# no snmp-server system-shutdown
Central(config)# no snmp-server trap-auth Central(config)#
Central(config)# ! disable the SNMP service
Central(config)# no snmp-server
Central(config)# end
The last command in the example, no snmp-server, shuts down all SNMP processing on the
router. When SNMP processing is shut down, some SNMP configuration statements will not
appear in any listing of the running configuration, but they can still be there! The safest way
to ensure that SNMP is really unavailable to an attacker, and will remain so, is to list the
established SNMP community strings and explictly unset them as shown above. For
information on setting up and using SNMP securely, see Section 4.5.3.
Router Name and DNS Name Resolution
Cisco IOS supports looking up host names with DNS. By default, IOS sends DNS name
queries to the broadcast address 255.255.255.255. If you do not want your router to send
queries, turn off DNS name resolution as shown below.
North# config t
Enter configuration commands, one per line. End with CNTL/Z. North(config)# no ip domain-lookup
North(config)# end
If one or more name servers are available on the network, and you want to be able to use
names in IOS commands, then explicitly set the name server addresses using the global
configuration command ip name-server addresses. In general, DNS name resolution should be
enabled on a router only if one or more trustworthy DNS servers are available. It is also a
very good idea to give the router a name, using the
78 Version 1.1c
Advanced Security Services
command hostname; the name you give to the router will appear in the prompt. The example
below shows how to set the router name, and set up a main and backup DNS server address
for the router Central.
router# config t
Enter configuration commands, one per line. End with CNTL/Z. router(config)# hostname Central
Central(config)# ip name-server 14.1.1.2 14.2.9.1
Central(config)# ip domain-lookup
Central(config)#
You can also set a default DNS domain name, which will be used as part of the fully-qualified
host name of the router and any unqualified name lookups. Setting a domain name is also
necessary for using SSH (see Section 5.3). To set a domain name, use the config command ip
domain-name domain as shown below.
Central(config)# ! full name of this router: Central.testnet.gov
Central(config)# ip domain-name testnet.gov
Central(config)# end
Central#
4.2.3. Disable Unused Interfaces
It is a good idea to explicitly shut down (disable) unused interfaces on your router. This helps
discourage unauthorized use of extra interfaces, and enforces the need for router
administration privileges when adding new network connections to a router. To disable an
interface, use the command shutdown in interface configuration mode.
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface eth0/3
Central(config-if)# shutdown
Central(config-if)# end
Central#
4.2.4. Configuration Example
The configuration listing below shows the configuration commands for disabling typical
unneeded services, as described above. This sample is formatted as it would appear in a
configuration text file stored on a host for download to the router Central. For more
information about NTP and SNMP security configuration, see Section 4.5.
! ----- IP and network services section
no cdp run
no ip source-route
no service tcp-small-serv
no service udp-small-serv
no ip finger
no service finger
no ip bootp server
Version 1.1c 79
Router Security Configuration Guide
no service pad
no ip http server
no ip name-server
no ip domain-lookup
! ----- Boot control section
no boot network
no service config
! ----- SNMP Section (for totally disabling SNMP)
! disable SNMP trap and system-shutdown features
no snmp-server enable traps
no snmp-server system-shutdown
no snmp-server trap-auth
! turn off SNMP altogether
no snmp-server
! ----- Per-interface services section
interface eth 0/0
description Outside interface to 14.1.0.0/16 net
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip redirect
no mop enabled ntp disable
interface eth 0/1
description Inside interface to 14.2.9.0/24 net
no ip proxy-arp
no ip directed-broadcast
no ip unreachable
no ip redirect
no mop enabled
ntp disable
interface eth 0/2
description Unused interface
no ip proxy-arp no ip directed-broadcast
no ip unreachable
no ip redirect
no mop enabled ntp disable
shutdown
interface eth 0/3
description Unused interface
no ip proxy-arp no ip directed-broadcast
no ip unreachable
no ip redirect
no mop enabled ntp disable
shutdown
interface loopback0
80 Version 1.1c
วันพฤหัสบดีที่ 12 กุมภาพันธ์ พ.ศ. 2552
สมัครสมาชิก:
ความคิดเห็น (Atom)
