Problem solve Get help with specific problems with your technologies, process and projects.

Protecting your border routers

This first article in our Weakest Link series tells what should be included in the config file for your Cisco border routers.

By Luis F. Medina 

You're the IT manager and have concerns about the security of your network. You've installed an access control list (ACL) on your perimeter routers; you've implemented a firewall with a good policy; you've even set up an Intrusion Detection System (IDS), an anti-virus system, and applied all of the required patches and security hotfixes to protect your network from hackers, right? If you're confident that you have covered all of your bases, think again!

Network security is a perennial task that requires ongoing modifications and appropriate adjustments to combat new forms of attacks. In the absence of security, there is opportunity for intrusion. The focus of this series is to address the weak links in your network, and the security risks overlooked by experienced network managers. Join me on a journey to explore and identify the security vulnerabilities in your network.

We begin the series with protecting your Cisco border routers. Since this is your company's first line of defense, it makes sense to start here. However, check with your hosting provider to see if they can add an access list on their router (which provides the Internet uplink) to your perimeter router. Have them block any port that your company does not require. The farther (hops) away from your network the filtering is done, the less traffic on your network. Avoid using default ports whenever possible and disable unnecessary protocols, whether it's at Layer 2 (e.g., CDP) or any other layer of the OSI model.

Now let us get technical, or as Emeril would say, "kick it up a notch." (As a member of SearchNetworking, you're experienced and understand ports, access lists, etc., but if you can find just one weak link, then this series will have been worth your time. After all, your network security is only as strong as your weakest link.) How confident are you with the existing configuration of your Cisco router? If your startup-config file lacks the services or rules in the sample configuration file listed below, then you have found your first weak link.

Although I don't consider an outdated IOS version (e.g. 12.5) to be a security issue -- it's been my experience new releases are sometimes unreliable or include security holes -- if your existing version has known security issues, then you should look into the next stable IOS version. In either case, you should keep a copy of your running-config file in another location to fall back on, if necessary.

Let's examine the sample config file. Only security related sections will be covered, therefore this is a partial file; it assumes you understand how to install an access list.

Tip #1 
Deny all VTY's. Disable outside access (even to restricted hosts) to your router's external and internal interfaces. Your router will still accept a session on port 23 on the inside interface, unless you block outside telnet to both interfaces. Use a VPN or dial-up connection to your network, and then access your router from inside. Limit access to your router to one or two internal hosts that are not exposed to the Internet.

! Sample config file with access-list 112 for inbound packet filtering
! Enable only the services that are absolutely required; disable all others
! Although some services are enabled by default, understand the role of each service
service password-encryption ! Uses basic algorithm to encrypt enable password

! Avoid using these services (DEC): Discard, Echo, and Chargen.
no service tcp-small-servers
no service udp-small servers

! Disable finger and Cisco discovery protocol (router sends info about itself)
no service finger
no cdp running
no cdp enable

! Make sure you disable http and SNMP access for remote configuration and monitoring
! Encrypt your password, disable http to your router, and define your syslog server
enable secret 5 <password> ! Uses MD5 password hashing for admin access
no ip http server ! Unless you want to send cleartext password, or the equivalent 
logging <syslog server> ! If you haven't set up a server, Kiwi Syslogd is pretty good

! Don't even think about installing an access-list if this line is not one of your rules
! This rule allows inbound access only when the connection is initiated from inside
access-list 112 permit tcp any <your network> <inverted mask> established log 

! This rule allows domain name resolution so users can browse the Internet
! If possible, limit this rule to your ISP's DNS servers
access-list 112 permit udp any eq domain any log

! Restrict pings from specific outside hosts to your servers
! The implicit deny rule in effect when you use an access list will deny other icmp types
access-list 112 permit icmp host <outside host> host <your server> echo log

! It's important to note that some services such as FTP use more than one TCP port
! If you have to use FTP, change default ports of 21 and 20 (data) whenever possible
access-list 112 permit tcp any host <your server> eq 443 log

! The firewall adds an implicit deny rule after your permit rules; no need to add this line
! When limiting inbound access, make sure you open up the appropriate ports for VPN
access-list 112 deny ip any any

Tip #2
Avoid the too-many-hands-in-the-cookie-jar syndrome. Restrict admin roles to one or two administrators and define the IP address of no more than two hosts that can access the router. These hosts should not run any public services or be exposed to the Internet. Obviously, good password management will protect your router against unauthorized access by inside users, but not if physical (console port) access to the router is available. A quick reboot and then the BREAK signal provides the inside culprit with control to your router.

Since you are not allowing external access to your router via Telnet, HTTP, or SNMP, it is less likely that a packet sniffer will obtain your passwords or network information. The more you protect against using unencrypted sessions over the Internet, the less likely it is for a potential intruder to hijack your connections and, ultimately, your router.

As you know, some protocols and services or applications are inherently insecure and pose a security risk to the company, your network, and your career. Ask yourself if you or your superiors are prepared to deal with the consequences associated with a security threat. To reiterate, in the absence of security, there is an opportunity for intrusion.

Did you pass the test? Does your config file already include the above rules? If yes, kudos! In our next issue, we'll wrap up the "Protecting your border routers" portion of the Weakest Link series by addressing anti-spoofing, anti-denial of service (DoS) attacks, and anti-worm.

It's been my experience that experienced IT professionals have often overlooked some of these basic steps. If you're serious about security, you must pay attention to details and leave no room for hackers.

Did this article bring any potential weak links in your network to light? Write to Luis and let him know.

This was last published in June 2002

Dig Deeper on Network Security Best Practices and Products