Someone had made a request for information on router security.. specifically Cisco routers (obviously). Quite often routers get overlooked when the network is being secured. This happens due to two reasons :
Firstly a lot of admins are only comfortable with setting up the basic routing procedure, leave alone the more esoteric settings that you can use to lock down the router. Secondly, people say 'what can anyone do with a router'. You'd be surprised how much can be done with a router...its your network infrastructure we're talking about ! So here goes :
For those of you who don't have the time to consider each of these options, I would personally recommend a couple of things you should definetely do.
First off, make sure your user mode / enable passwords are strong. or use RADIUS / TACACS authentication. For god's sake change the default password from 'cisco'.
Second, create an access-list for machines allowed to telnet to the router. Something along the lines of :
access-list 10 permit 192.168.10.1
line vty 0 4
access-class 10 in
That will allow telnet access only to the IP 192.168.10.1 which would logically be your administrative machine. If you want you could use extended access lists and specifically allow telnet and log any connections. This will make sure that nobody across the Internet can just telnet right up to your router.
You should also seriously consider logging. I would recommend you log to an external syslog server. However I'm not going to cover logging options in this post, its long enough already. Follow the links I have provided above.
Lastly, a lot of Cisco routers come with an HTTP server that allows you to administer them through a webpage. If you're not using this facility, make sure its turned off.
Remember your routers are what make that fancy network of yours work, they are critical infrastructure and need to be considered very seriously when securing the network.
On a side note you can manage the routers using SSH rather than Telnet. Since SSH is encrypted, nobody can sniff your password the way a telnet password can be sniffed in cleartext.
(Well if you really want to know, there are ways to sniff an SSH1 session.. but as tfs would say -- 'Everyone has to start with baby steps' )
I typed this one up pretty quickly, so let me know if something is unclear.
This is my first post to Firewall.cx so let me start off by saying hi!
I'm glad that sahirh posted this topic about router security...Cisco in particular is the only brand routers I have so far dealt with other than a SOHO D-Link ADSL Router... I'm not a CCNA yet but in less than a week that might change. Anyway I have been programming routers for an exceptional amount of time, well more time than the CCNA course requires (I'm really good friends with my teach so each day throughout the corse I've been using the routers), and its amazing how much the security of the routers have been overlooked.
Probably the funniest ones are people trying to set ACLs, they place them only on one of the routers interfaces, and forget that the router has multiple interfaces that can be accessed so therefore making the ACL useless.
Also as you mentioned above about the routers HTTP server, I think its one of the tools of the devil, when someone has been accessing a router and looking at its running-config, I was able to easily enough work offline and get all the details of the running-config of the router from a Windows workstation. Not very secure indeed.
Even tho sahirh's post was much more enlightening (I've read lot's of your posts sahirh and their very informative :wink: ) I just wanted to post my views on it from a starting point of security, and also wanted to say Hi!
Re: Cisco Router Security
15 years 3 weeks ago #1838
Heya Neon, welcome to the site ! Hope we'll see you become a regular and post often
I'm glad you liked the information, theres quite a bit of security stuff all over the site, especially in this forum.. we're also working on a few security articles that will be put up in the regular material section, that way people wont have to trawl through the forums to find stuff.
You're 100% correct about ACLs, alot of people get confused with them, especially when they have to deal with a complicated mask.. I really cant figure why Cisco insisted on matching zeros rather than ones... !!
I think most people cut their teeth on Cisco hardware.. I sure as hell I know I did... Mr.Chambers really has my respect