The Waystation: Technical Corner - Best Practices

Best Practices - Securing a Choke router

[Last Updated: Thursday, 04-Jun-2009 13:30:11 EDT]

Recommended Global and Interface Configurations
Inbound Cisco Access List Security
Outbound Cisco Access List Security
NSA Router Security Recommendations - Executive Summary Ver. 1.1b162KB
NSA Router Security Recommendations - Configuration Guide Ver. 1.1b2.29MB
IOS Essentials for Service Providers v2.9986KB [Recently Published by CiscoPress]

The following contains commented examples of global and interface configurations for a Cisco router that acts as a "choke" device on the inside or outside of a true firewall device. The ! signifies a commented line in Cisco's notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router.

The information supplied in this configuration is in no way guaranteed or supported by the author to "secure" your network. This is meant to provide an example of generally accepted configuration practices when securing routers that provide access to untrusted networks.

DISCLAIMER

No Warranty of any kind is expressed or implied with respect to the information contained in this document!
The information found here is compiled for the convenience of anyone looking for general guidelines and best practices for configuration based on my own professional experience, as well as industry standards.
Use this information at your own risk!

Scott S. 2009

Recommended Global and Interface Configurations

Disable all non-essential services and features
- ```
no service pad
  no ip finger
  no ip bootp server
  no ip source-route
  no cdp run (if you don't need cdp on any interface)
  no service config
```
- IOS versions 12.x and higher auto disable certain features like tcp-small-servers; udp-small-servers; and ip http-server

Enable global security features

service password-encryption (automatically encrypts configured passwords)
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service tcp-keepalives-in
  logging buffered <50000> debugging
  logging console warnings (if you don't log, you can't trace problems)
  enable secret <password> (enables the strongest password encryption on the enable password)
  username admin password 7 <###########################>

Disable the following features per interface
- no ip redirects
- no ip unreachables
- no ip directed-broadcast
- no ip mask-reply
- no ip proxy-arp
- no cdp enable (for exterior facing interfaces)
- make sure all other interfaces not being used are administratively shutdown

Enabling additional features

ip subnet-zero (enables networks on the 0 boundary)
ip classless (allows for CIDR route lookups)

If you are using the IOS Firewall/IDS Feature Set...
ip inspect max-incomplete low 100
ip inspect max-incomplete high 300
ip inspect dns-timeout 8
ip inspect tcp idle-time 7200
ip inspect tcp finwait-time 8
ip inspect tcp max-incomplete host 100 block-time 1
ip inspect name Internet tcp alert on audit-trail on timeout 7200
ip inspect name Internet udp alert on audit-trail on timeout 60
ip inspect name Internet http alert on audit-trail on timeout 120
ip inspect name Internet smtp alert on audit-trail on timeout 30
ip inspect name Internet ftp alert on audit-trail on timeout 120
ip inspect name Internet fragment maximum 250 timeout 15
ip audit attack action alarm drop
ip audit notify log
ip audit po max-events 50
ip audit protected x.y.z.0 to x.y.z.255
ip audit smtp spam 100
ip audit name Internet attack action alarm drop

enable access-lists, inspect rules, and audit rules per interface as necessary 
to restrict the traffic to only required communication (see the links above 
for info regarding access-list configuration)

interface fastethernet 1/0
ip access-group 101 out
ip access-group 102 in
ip inspect Internet out
ip audit Internet in

clock timezone <cst -6> (an accurate clock makes security logs more useful with timestamps)
clock summer-time <cdt> recurring

NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries

ntp update-calendar
ntp server <ip address of a high stratum synchronized ntp server>
! Public NTP Servers
ntp peer <ip address of local peer device>

If SNMP is a requirement...
snmp-server community <string> RO 10 (secures snmp control by access list 10)
Otherwise use...
no snmp-server
Add ip addresses of only the hosts that need snmp access to the router to access-list 10

Use the banner command to state the obvious precuations upon login as a legal disclaimer

banner motd ^CC

                                 Property of
                              Your Company Name
                         Unauthorized Use Prohibited

                        For more information, contact:
                                

^C

Console configuration - use exec-timeout to logout idle users after 5 minutes

line con 0
 exec-timeout 5 0
 password 7 <######>
 login authentication no_tacacs !if you are using aaa commands
 login local
 transport input none
line aux 0
 exec-timeout 5 0
 password 7 <#######>
 login authentication no_tacacs !if you are using aaa commands
 login local
 modem InOut
 transport input all
 stopbits 1
 speed 19200
 flowcontrol hardware
line vty 0 4
 access-class 50 in
 exec-timeout 5 0
 password 7 <########>
 login authentication tacacs !if you have TACACS setup with aaa commands
 login local
 transport input telnet

IOS version
- Make sure you are running a version of IOS that is stable and is patched for all of the latest network bugs.

Last Revised: Thursday, 04-Jun-2009 13:30:11 EDT

Privacy Statement