- Posts: 1700
- Thank you received: 0
Cisco Router Security
20 years 5 months ago #1804
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Cisco Router Security was created by sahirh
Someone had made a request for information on router security.. specifically Cisco routers (obviously). Quite often routers get overlooked when the network is being secured. This happens due to two reasons :
Firstly a lot of admins are only comfortable with setting up the basic routing procedure, leave alone the more esoteric settings that you can use to lock down the router. Secondly, people say 'what can anyone do with a router'. You'd be surprised how much can be done with a router...its your network infrastructure we're talking about ! So here goes :
Hardening Cisco routers :
www.cisco.com/warp/public/707/21.html (from the men themselves - this will cover most material :))
www.cscug.org/Presentations/Cisco_Hardening.ppt
Exploiting Cisco routers :
www.securityfocus.com/infocus/1734 (very nice article)
For those of you who don't have the time to consider each of these options, I would personally recommend a couple of things you should definetely do.
First off, make sure your user mode / enable passwords are strong. or use RADIUS / TACACS authentication. For god's sake change the default password from 'cisco'.
Second, create an access-list for machines allowed to telnet to the router. Something along the lines of :
[code:1]
conf t
access-list 10 permit 192.168.10.1
line vty 0 4
login
access-class 10 in
^Z
[/code:1]
That will allow telnet access only to the IP 192.168.10.1 which would logically be your administrative machine. If you want you could use extended access lists and specifically allow telnet and log any connections. This will make sure that nobody across the Internet can just telnet right up to your router.
You should also seriously consider logging. I would recommend you log to an external syslog server. However I'm not going to cover logging options in this post, its long enough already. Follow the links I have provided above.
Lastly, a lot of Cisco routers come with an HTTP server that allows you to administer them through a webpage. If you're not using this facility, make sure its turned off.
Remember your routers are what make that fancy network of yours work, they are critical infrastructure and need to be considered very seriously when securing the network.
On a side note you can manage the routers using SSH rather than Telnet. Since SSH is encrypted, nobody can sniff your password the way a telnet password can be sniffed in cleartext.
(Well if you really want to know, there are ways to sniff an SSH1 session.. but as tfs would say -- 'Everyone has to start with baby steps'
)
I typed this one up pretty quickly, so let me know if something is unclear.
Cheers,
Firstly a lot of admins are only comfortable with setting up the basic routing procedure, leave alone the more esoteric settings that you can use to lock down the router. Secondly, people say 'what can anyone do with a router'. You'd be surprised how much can be done with a router...its your network infrastructure we're talking about ! So here goes :
Hardening Cisco routers :
www.cisco.com/warp/public/707/21.html (from the men themselves - this will cover most material :))
www.cscug.org/Presentations/Cisco_Hardening.ppt
Exploiting Cisco routers :
www.securityfocus.com/infocus/1734 (very nice article)
For those of you who don't have the time to consider each of these options, I would personally recommend a couple of things you should definetely do.
First off, make sure your user mode / enable passwords are strong. or use RADIUS / TACACS authentication. For god's sake change the default password from 'cisco'.
Second, create an access-list for machines allowed to telnet to the router. Something along the lines of :
[code:1]
conf t
access-list 10 permit 192.168.10.1
line vty 0 4
login
access-class 10 in
^Z
[/code:1]
That will allow telnet access only to the IP 192.168.10.1 which would logically be your administrative machine. If you want you could use extended access lists and specifically allow telnet and log any connections. This will make sure that nobody across the Internet can just telnet right up to your router.
You should also seriously consider logging. I would recommend you log to an external syslog server. However I'm not going to cover logging options in this post, its long enough already. Follow the links I have provided above.
Lastly, a lot of Cisco routers come with an HTTP server that allows you to administer them through a webpage. If you're not using this facility, make sure its turned off.
Remember your routers are what make that fancy network of yours work, they are critical infrastructure and need to be considered very seriously when securing the network.
On a side note you can manage the routers using SSH rather than Telnet. Since SSH is encrypted, nobody can sniff your password the way a telnet password can be sniffed in cleartext.
(Well if you really want to know, there are ways to sniff an SSH1 session.. but as tfs would say -- 'Everyone has to start with baby steps'
)I typed this one up pretty quickly, so let me know if something is unclear.
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 5 months ago #1836
by Neon
Replied by Neon on topic RE: Cisco Router Security
This is my first post to Firewall.cx so let me start off by saying hi!
I'm glad that sahirh posted this topic about router security...Cisco in particular is the only brand routers I have so far dealt with other than a SOHO D-Link ADSL Router... I'm not a CCNA yet but in less than a week that might change. Anyway I have been programming routers for an exceptional amount of time, well more time than the CCNA course requires (I'm really good friends with my teach so each day throughout the corse I've been using the routers), and its amazing how much the security of the routers have been overlooked.
Probably the funniest ones are people trying to set ACLs, they place them only on one of the routers interfaces, and forget that the router has multiple interfaces that can be accessed so therefore making the ACL useless.
Also as you mentioned above about the routers HTTP server, I think its one of the tools of the devil, when someone has been accessing a router and looking at its running-config, I was able to easily enough work offline and get all the details of the running-config of the router from a Windows workstation. Not very secure indeed.
Even tho sahirh's post was much more enlightening (I've read lot's of your posts sahirh and their very informative
) I just wanted to post my views on it from a starting point of security, and also wanted to say Hi!
I'm glad that sahirh posted this topic about router security...Cisco in particular is the only brand routers I have so far dealt with other than a SOHO D-Link ADSL Router... I'm not a CCNA yet but in less than a week that might change. Anyway I have been programming routers for an exceptional amount of time, well more time than the CCNA course requires (I'm really good friends with my teach so each day throughout the corse I've been using the routers), and its amazing how much the security of the routers have been overlooked.
Probably the funniest ones are people trying to set ACLs, they place them only on one of the routers interfaces, and forget that the router has multiple interfaces that can be accessed so therefore making the ACL useless.
Also as you mentioned above about the routers HTTP server, I think its one of the tools of the devil, when someone has been accessing a router and looking at its running-config, I was able to easily enough work offline and get all the details of the running-config of the router from a Windows workstation. Not very secure indeed.
Even tho sahirh's post was much more enlightening (I've read lot's of your posts sahirh and their very informative
) I just wanted to post my views on it from a starting point of security, and also wanted to say Hi!
20 years 5 months ago #1838
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Cisco Router Security
Heya Neon, welcome to the site ! Hope we'll see you become a regular and post often 
I'm glad you liked the information, theres quite a bit of security stuff all over the site, especially in this forum.. we're also working on a few security articles that will be put up in the regular material section, that way people wont have to trawl through the forums to find stuff.
You're 100% correct about ACLs, alot of people get confused with them, especially when they have to deal with a complicated mask.. I really cant figure why Cisco insisted on matching zeros rather than ones... !!
I think most people cut their teeth on Cisco hardware.. I sure as hell I know I did... Mr.Chambers really has my respect
Oh while we're on the topic of access-lists, this might help the unenlightened :
www.firewall.cx/sahirh/docs/accesslist.html
I'm glad you liked the information, theres quite a bit of security stuff all over the site, especially in this forum.. we're also working on a few security articles that will be put up in the regular material section, that way people wont have to trawl through the forums to find stuff.
You're 100% correct about ACLs, alot of people get confused with them, especially when they have to deal with a complicated mask.. I really cant figure why Cisco insisted on matching zeros rather than ones... !!
I think most people cut their teeth on Cisco hardware.. I sure as hell I know I did... Mr.Chambers really has my respect
Oh while we're on the topic of access-lists, this might help the unenlightened :
www.firewall.cx/sahirh/docs/accesslist.html
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 5 months ago #1868
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Cisco Router Security
While on the topic of cisco security.. what was that bug in the HTTP server.. really stupid thing.. it was something like
http://ip-of-router/exec/XX/show-running-config
where you replaced XX with a number < 20... and then it would just pop the running conf into your browser window.. enable password / secret hash visible as well.
Anyone remember anything about it ? I have used it once, but just cant recall the details of the URL...
That should teach you that HTTP is for looking at pretty webpages, not configuring network infrastructure
Cheers.
http://ip-of-router/exec/XX/show-running-config
where you replaced XX with a number < 20... and then it would just pop the running conf into your browser window.. enable password / secret hash visible as well.
Anyone remember anything about it ? I have used it once, but just cant recall the details of the URL...
That should teach you that HTTP is for looking at pretty webpages, not configuring network infrastructure
Cheers.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.155 seconds