Securing outgoing network traffic and scrutinizing incoming traffic are critical aspects of network security. Securing the edge router, which connects to the outside network, is an important first step in securing the network.
Device hardening is an essential task that must never be overlooked. It involves implementing proven methods for physically securing the router and protecting the router's administrative access using the Cisco IOS command-line interface (CLI) as well as the Cisco Router and Security Device Manager (SDM). Some of these methods involve securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Because not all information technology personnel should have the same level of access to the infrastructure devices, defining administrative roles in terms of access is another important aspect of securing infrastructure devices.
Securing the management and reporting features of Cisco IOS devices is also important. Recommended practices for securing syslog, using Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are examined.
Many router services are enabled by default. A number of these features are enabled for historical reasons but are no longer required today. This chapter discusses some of these services and examines router configurations with the Security Audit feature of Cisco SDM. This chapter also examines the one-step lockdown Cisco SDM feature and the auto secure command, which can be used to automate device hardening tasks.
Secure the physical installation of and the administrative access to Cisco routers based on different network requirements using the CLI and SDM.
Configure administrative roles using privilege levels and role-based CLI.
Implement the management and reporting features of syslog, SNMP, SSH, and NTP.
Examine router configurations with the Security Audit feature of Cisco SDM, and make the router and network more secure by using the auto secure command or the One-Step Lockdown feature of Cisco SDM.
Securing the network infrastructure is critical to overall network security. The network infrastructure includes routers, switches, servers, endpoints, and other devices.
Consider a disgruntled employee casually looking over the shoulder of a network administrator while the administrator is logging in to an edge router. This is known as shoulder surfing, and it is a surprisingly easy way for an attacker to gain unauthorized access. If an attacker gains access to a router, the security and management of the entire network can be compromised, leaving servers and endpoints at risk. It is critical that the appropriate security policies and controls be implemented to prevent unauthorized access to all infrastructure devices. Although all infrastructure devices are at risk, routers are a primary target for network attackers. This is because routers act as traffic police, directing traffic into, out of and between networks. The edge router is the last router between the internal network and an untrusted network such as the Internet. All of an organization's Internet traffic goes through this edge router; therefore, it often functions as the first and last line of defense for a network. Through initial and final filtering, the edge router helps to secure the perimeter of a protected network. It is also responsible for implementing security actions that are based on the security policies of the organization. For these reasons, securing network routers is imperative.
The edge router implementation varies depending on the size of the organization and the complexity of the required network design. Router implementations can include a single router protecting an entire inside network or a router as the first line of defense in a defense-in-depth approach.
Single Router Approach
In the single router approach, a single router connects the protected network, or internal LAN, to the Internet. All security policies are configured on this device. This is more commonly deployed in smaller site implementations such as branch and SOHO sites. In smaller networks, the required security features can be supported by ISRs without impeding the router's performance capabilities.
Defense-in-Depth Approach
A defense-in-depth approach is more secure than the single router approach. In this approach, the edge router acts as the first line of defense and is known as a screening router. It passes all connections that are intended for the internal LAN to the firewall.
The second line of defense is the firewall. The firewall typically picks up where the edge router leaves off and performs additional filtering. It provides additional access control by tracking the state of the connections and acts as a chokepoint device.
The edge router has a set of rules specifying which traffic it allows and denies. By default, the firewall denies the initiation of connections from the outside (untrusted) networks to the inside (trusted) network. However, it allows the internal users to establish connections to the untrusted networks and permits the responses to come back through the firewall. It can also perform user authentication (authentication proxy) where users must be authenticated to gain access to network resources.
DMZ Approach
A variation of the defense-in-depth approach is to offer an intermediate area, often called the demilitarized zone (DMZ). The DMZ can be used for servers that must be accessible from the Internet or some other external network. The DMZ can be set up between two routers, with an internal router connecting to the protected network and an external router connecting to the unprotected network, or simply be an additional port off of a single router. The firewall, located between the protected and unprotected networks, is set up to permit the required connections (for example, HTTP) from the outside (untrusted) networks to the public servers in the DMZ. The firewall serves as the primary protection for all devices on the DMZ. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall.
(The focus of this course is on ISR security features, including explanations of how to configure these features. With respect to the Cisco Adaptive Security Appliance (ASA), the discussion is limited to design implementation in this course. For ASA device configuration, see www.cisco.com.)
There are two ways to access a device for administrative purposes, locally and remotely.
All network infrastructure devices can be accessed locally. Local access to a router usually requires a direct connection to a console port on the Cisco router using a computer that is running terminal emulation software.
Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer. The computer can be on the same subnet or a different subnet. Some remote access protocols send the data, including usernames and passwords, to the router in plaintext. If an attacker can collect network traffic while an administrator is remotely logged in to a router, the attacker can capture passwords or router configuration information.
For this reason, it is preferable to allow only local access to the router. However, remote access might still be necessary. When accessing the network remotely, a few precautions should be taken:
Encrypt all traffic between the administrator computer and the router. For example, instead of using Telnet, use SSH. Or instead of using HTTP, use HTTPS.
Establish a dedicated management network. The management network should include only identified administration hosts and connections to a dedicated interface on the router.
Configure a packet filter to allow only the identified administration hosts and preferred protocols to access the router. For example, permit only SSH requests from the IP address of the administration host to initiate a connection to the routers in the network.
These precautions are valuable, but they do not protect the network completely. Other lines of defense must also be implemented. One of the most basic and important is the use of a secure password.
Attackers deploy various methods of discovering administrative passwords. They can shoulder surf, attempt to guess passwords based on the user's personal information, or sniff TFTP packets containing plaintext configuration files. Attackers can also use tools such as L0phtCrack and Cain & Abel to attempt brute force attacks and guess passwords.
To protect assets such as routers and switches, follow these common guidelines for choosing strong passwords. These guidelines are designed to make passwords less easily discovered by intelligent guessing and cracking tools:
Use a password length of 10 or more characters. The longer, the better.
Make passwords complex. Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces.
Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, biographical information, such as birthdates, ID numbers, ancestor names, or other easily identifiable pieces of information..
Deliberately misspell a password. For example, Smith = Smyth = 5mYth or Security = 5ecur1ty.
Change passwords often. If a password is unknowingly compromised, the window of opportunity for the attacker to use the password is limited.
Do not write passwords down and leave them in obvious places such as on the desk or monitor.
On Cisco routers and many other systems, password-leading spaces are ignored, but spaces after the first character are not ignored. Therefore, one method to create a strong password is to use the space bar in the password and create a phrase made of many words. This is called a pass phrase. A pass phrase is often easier to remember than a simple password. It is also longer and harder to guess.
Administrators should ensure that strong passwords are used across the network. One way to accomplish this is to use the same cracking and brute force attack tools that attackers use as a way to verify password strength.
Many access ports require passwords on a Cisco router, including the console port, auxiliary port, and virtual terminal connections. Password management in a large network should be maintained using a central TACACS+ or RADIUS authentication server such as the Cisco Secure Access Control Server (ACS). All routers must be configured with the user and privileged EXEC passwords. A local username database is also recommended as backup if access to an authentication, authorization, and accounting (AAA) server is compromised. Using a password and assigning privilege levels is a simple way to provide terminal access control in a network. Passwords must be established for privileged EXEC mode access and individual lines such as the console and auxiliary lines.
Enable Secret Password
The enable secret password global configuration command restricts access to privileged EXEC mode. The enable secret password is always hashed inside the router configuration using a Message Digest 5 (MD5) hashing algorithm. If the enable secret password is lost or forgotten, it must be replaced using the Cisco router password recovery procedure.
Console Line
By default, the console port does not require a password for console administrative access; however, it should always be configured as a console port line-level password. Use the line console 0 command followed by the login and password subcommands to require login and establish a login password on the console line.
Virtual Terminal Lines
By default, Cisco routers support up to five simultaneous virtual terminal vty (Telnet or SSH) sessions. On the router, the vty ports are numbered from 0 through 4. Use the line vty 0 4 command followed by the login and password subcommands to require login and establish a login password on incoming Telnet sessions.
Auxiliary Line
By default, Cisco router auxiliary ports do not require a password for remote administrative access. Administrators sometimes use this port to remotely configure and monitor the router using a dialup modem connection.
To access the auxiliary line use the line aux 0 command. Use the login and password subcommands to require login and establish a login password on incoming connections.
By default, with the exception of the enable secret password, all Cisco router passwords are stored in plain text within the router configuration. These passwords can be viewed with the show running-config command. Sniffers can also see these passwords if the TFTP server configuration files traverse an unsecured intranet or Internet connection. If an intruder gains access to the TFTP server where the router configuration files are stored, the intruder is able to obtain these passwords.
To increase the security of passwords, the following should be configured:
Enforce minimum password lengths.
Disable unattended connections.
Encrypt all passwords in the configuration file.
Minimum Character Length
Beginning with the Cisco IOS Release 12.3(1) and later, administrators can set the minimum character length for all router passwords from 0 to 16 characters using the global configuration command security passwords min-length length. It is strongly recommended that the minimum password length be set to at least 10 characters to eliminate common passwords that are short and prevalent on most networks, such "lab" and "cisco".
This command affects user passwords, enable secret passwords, and line passwords that are created after the command is executed. Existing router passwords remain unaffected. Any attempt to create a new password that is less than the specified length fails and results in an error message similar to the following:
Password too short - must be at least 10 characters. Password configuration failed.
Disable Unattended Connections
By default, an administrative interface stays active and logged in for 10 minutes after the last session activity. After that, the interface times out and logs out of the session.
If an administrator is away from the terminal while the console connection is active, an attacker has up to 10 minutes to gain privilege level access. It is recommended that these timers be fine-tuned to limit the amount of time to within a two or three minute maximum. These timers can be adjusted using the exec-timeout command in line configuration mode for each of the line types that are used.
It is also possible to turn off the exec process for a specific line, such as on the auxiliary port, using the no exec command within the line configuration mode. This command allows only an outgoing connection on the line. The no exec command allows you to disable the EXEC process for connections which may attempt to send unsolicited data to the router.
Encrypt All Passwords
By default, some passwords are shown in plaintext, meaning not encrypted, in the Cisco IOS software configuration. With the exception of the enable secret password, all other plaintext passwords in the configuration file can be encrypted in the configuration file using the service password-encryption command. This command hashes current and future plaintext passwords in the configuration file into an encrypted ciphertext. To stop encrypting passwords, use the no form of the command. Only passwords created after the no command is issued will be unencrypted. Existing passwords that have been previously encrypted will remain so.
The service password-encryption command is primarily useful for keeping unauthorized individuals from viewing passwords in the configuration file. The algorithm used by the service password-encryption command is simple and can be easily reversed by someone with access to the encrypted ciphertext and a password-cracking application. For that reason, this command should not be used with the intention to protect configuration files against serious attacks.
The enable secret command is far more secure because it encrypts the password using MD5, which is a stronger algorithm.
Assigning passwords and local authentication does not prevent a device from being targeted for attack. DoS attacks flood a device with so many connection requests that the device might not provide normal login service to legitimate system administrators. A dictionary attack, which is used to gain administrative access to a device, floods a device with thousands of username and password combinations. The end result is much the same as a DoS attack, in that the device cannot process legitimate user requests. The network needs to have systems in place to detect and help prevent these attacks.
By enabling a detection profile, a network device can be configured to react to repeated failed login attempts by refusing further connection requests (login blocking). This block can be configured for a period of time, which is called a quiet period. Legitimate connection attempts can still be permitted during a quiet period by configuring an access control list (ACL) with the addresses that are known to be associated with system administrators.
The Cisco IOS login enhancements feature allows Cisco IOS devices to be better secured when creating a virtual connection, such as Telnet, SSH, or HTTP, by slowing down dictionary attacks and stopping DoS attacks. To better configure security for virtual login connections, the login process should be configured with specific parameters:
Delays between successive login attempts
Login shutdown if DoS attacks are suspected
Generation of system logging messages for login detection
These enhancements do not apply to console connections. It is assumed that only authorized personnel have physical access to the devices.
All login enhancement features are disabled by default. Use the login block-for command to enable login enhancements.
The login block-for feature monitors login device activity and operates in two modes:
Normal mode (watch mode) - The router keeps count of the number of failed login attempts within an identified amount of time.
Quiet mode (quiet period) - If the number of failed logins exceeds the configured threshold, all login attempts using Telnet, SSH, and HTTP are denied.
When quiet mode is enabled, all login attempts, including valid administrative access, are not permitted. However, to provide critical hosts access at all times, this behavior can be overridden using an ACL. The ACL must be created and identified using the login quiet-mode access-class command.
By default, Cisco IOS devices can accept connections, such as Telnet, SSH, and HTTP, as quickly as they can be processed. This makes devices susceptible to dictionary attack tools, such as Cain or L0phtCrack, which are capable of thousands of password attempts per second. The login block-for command invokes an automatic delay of 1 second between login attempts. Attackers have to wait 1 second before they can try a different password.
This delay time can be changed using the login delay command. The login delay command introduces a uniform delay between successive login attempts. The delay occurs for all login attempts, including failed or successful attempts.
The login block-for, login quiet-mode access-class, and login delay commands help block failed login attempts for a limited period of time but cannot prevent an attacker from trying again. How can an administrator know when someone tries to gain access to the network by guessing the password?
The command auto secure enables message logging for failed login attempts. Logging successful login attempts is not enabled by default.
These commands can be used to keep track of the number of successful and failed login attempts.
login on-failure log generates logs for failed login requests.
login on-success log generates log messages for successful login requests.
As an alternative, the security authentication failure rate threshold-rate log command generates a log message when the login failure rate is exceeded.
To verify that the login block-for command is configured and which mode the router is currently in, use the show login command. The router is in either normal or quite mode, depending on whether login thresholds were exceeded.
The show login failures command displays more information regarding the failed attempts, such as the IP address from which the failed login attempts originated.
Use banner messages to present legal notification to would-be intruders to inform them that they are not welcome on a network. Banners are very important to the network from a legal perspective. Intruders have won court cases because they did not encounter appropriate warning messages when accessing router networks. In addition to warning would-be intruders, banners are also used to inform remote administrators of use restrictions.
Choosing what to place in banner messages is important and should be reviewed by legal counsel before putting them on network routers. Never use the word welcome or any other familiar greeting that may be misconstrued as an invitation to use the network.
Banners are disabled by default and must be explicitly enabled. Use the banner command from global configuration mode to specify appropriate messages.
banner {exec | incoming | login | motd | slip-ppp} d message d
Tokens are optional and can be used within the message section of the banner command:
$(hostname) - Displays the host name for the router.
$(domain) - Displays the domain name for the router.
$(line) - Displays the vty or tty (asynchronous) line number.
$(line-desc) - Displays the description that is attached to the line.
Be careful in placing this information in the banner because it provides more information to a possible intruder.
Cisco SDM can also be used to configure banner messages.
When enabling remote administrative access, it is also important to consider the security implications of sending information across the network. Traditionally, remote access on routers was configured using Telnet on TCP port 23. However, Telnet was developed in the days when security was not an issue, therefore, all Telnet traffic is forwarded in plaintext. Using this protocol, critical data, such as router configurations, is easily accessible to attackers. Hackers can capture packets forwarded by an administrator's computer using a protocol analyzer such as Wireshark. If the initial Telnet stream is discovered and followed, attackers can learn the administrator's username and password.
However, having remote access capability can save an organization time and money when making necessary configuration changes. So how can a secure remote access connection be established to manage Cisco IOS devices?
SSH has replaced Telnet as the recommended practice for providing remote router administration with connections that support confidentiality and session integrity. It provides functionality that is similar to an outbound Telnet connection, except that the connection is encrypted and operates on port 22. With authentication and encryption, SSH allows for secure communication over a non-secure network.
Four steps must be completed prior to configuring routers for the SSH protocol:
Step 1. Ensure that the target routers are running a Cisco IOS Release 12.1(1)T image or later to support SSH. Only the Cisco IOS cryptographic images containing the IPsec feature set support SSH. Specifically, Cisco IOS 12.1 or later IPsec DES or Triple Data Encryption Standard (3DES) cryptographic images support SSH. Typically, these images have image IDs of k8 or k9 in their image names. For example, c1841-advipservicesk9-mz.124-10b.bin is an image that can support SSH.
Step 2. Ensure that each of the target routers has a unique host name.
Step 3. Ensure that each of the target routers is using the correct domain name of the network.
Step 4. Ensure that the target routers are configured for local authentication or AAA services for username and password authentication. This is mandatory for a router-to-router SSH connection.
Using the CLI, there are four steps to configure a Cisco router to support SSH:
Step 1. If the router has a unique host name, configure the IP domain name of the network using the ip domain-name domain-name command in global configuration mode.
Step 2. One-way secret keys must be generated for a router to encrypt the SSH traffic. These keys are referred to as asymmetric keys. Cisco IOS software uses the Rivest, Shamir, and Adleman (RSA) algorithm to generate keys. To create the RSA key, use the crypto key generate rsa general-keys modulus modulus-size command in global configuration mode. The modulus determines the size of the RSA key and can be configured from 360 bits to 2048 bits. The larger the modulus, the more secure the RSA key. However, keys with large modulus values take slightly longer to generate and longer to encrypt and decrypt as well. The minimum recommended modulus key length is 1024 bits.
To verify SSH and display the generated keys, use the show crypto key mypubkey rsa command in privileged EXEC mode. If there are existing key pairs, it is recommended that they are overwritten using the crypto key zeroize rsa command.
Step 3. Ensure that there is a valid local database username entry. If not, create one using the username name secret secret command.
Step 4. Enable vty inbound SSH sessions using the line vty commands login local and transport input ssh.
SSH is automatically enabled after the RSA keys are generated. The router SSH service can be accessed using SSH client software.
Optional SSH Commands
Optionally, SSH commands can be used to configure the following:
SSH version
SSH timeout period
Number of authentication retries
Cisco routers support two versions of SSH: SSH version 1 (SSHv1) and the newer, more secure SSH version 2 (SSHv2). SSHv2 provides better security using the Diffie-Hellman key exchange and the strong integrity-checking message authentication code (MAC).
Cisco IOS Release 12.1(1)T and later supports SSHv1. Cisco IOS Release 12.3(4)T and later operates in compatibility mode and supports both SSHv1 and SSHv2. To change from compatibility mode to a specific version, use the ip ssh version {1 | 2} global configuration command.
The time interval that the router waits for the SSH client to respond during the SSH negotiation phase can be configured using the ip ssh time-out seconds command in global configuration mode. The default is 120 seconds. When the EXEC session starts, the standard exec timeout configured for the vty applies.
By default, a user logging in has three attempts before being disconnected. To configure a different number of consecutive SSH retries, use the ip ssh authentication-retries integer command in global configuration mode.
To verify the optional SSH command settings, use the show ip ssh command.
After SSH is configured, an SSH client is required to connect to an SSH-enabled router.
While it is important that a system administrator can securely connect to and manage a device, still more configurations are needed to keep the network secure. For example, should complete access be provided for all employees in a company? The answer to that question is usually no. Most company employees require only specific areas of access to the network. What about complete access for all employees in the IT department? Keep in mind that large organizations have many various job functions within an IT department. For example, job titles include Chief Information Officer (CIO), Security Operator, Network Administrator, WAN Engineer, LAN Administrator, Software Administrator, PC Tech support, Help Desk support, and others. Not all job functions should have the same level of access to the infrastructure devices.
As an example, a senior network administrator leaves for vacation and, as a precaution, provides a junior administrator with the privileged EXEC mode passwords to all infrastructure devices. A few days later, the curious junior administrator accidentally disables the company network. This is not an uncommon scenario, because all too often a router is secured with only one privileged EXEC password. Anyone with knowledge of this password has open access to the entire router.
Configuring privilege levels is the next step for the system administrator who wants to secure the network. Privilege levels determine who should be allowed to connect to the device and what that person should be able to do with it. The Cisco IOS software CLI has two levels of access to commands.
User EXEC mode (privilege level 1) - Provides the lowest EXEC mode user privileges and allows only user-level commands available at the router> prompt.
Privileged EXEC mode (privilege level 15) - Includes all enable-level commands at the router# prompt.
Although these two levels do provide control, sometimes a more precise level of control is required.
Cisco IOS software has two methods of providing infrastructure access: privilege level and role-based CLI.
If attackers gain access to a router there are many things that they could do. For example, they could alter traffic flows, alter configurations, and even erase the startup configuration file and Cisco IOS image. If the configuration or IOS image is erased, the operator might need to retrieve an archived copy to restore the router. The recovery process must then be performed on each affected router, adding to the total network downtime.
The Cisco IOS Resilient Configuration feature allows for faster recovery if someone reformats flash memory or erases the startup configuration file in NVRAM. This feature allows a router to withstand malicious attempts at erasing the files by securing the router image and maintaining a secure working copy of the running configuration.
When a Cisco IOS image is secured, the resilient configuration feature denies all requests to copy, modify, or delete it. The secure copy of the startup configuration is stored in flash along with the secure IOS image. This set of Cisco IOS image and router running configuration files is referred to as the bootset.
The Cisco IOS resilient configuration feature is only available for systems that support a PCMCIA Advanced Technology Attachment (ATA) flash interface. The Cisco IOS image and backup running configuration on the Flash drive are hidden from view, so the files are not included in any directory listing on the drive.
Two global configurations commands are available to configure the Cisco IOS resilient configuration features: secure boot-image and secure boot-config.
In the event that a router is compromised or needs to be recovered from a misconfigured password, an administrator must understand password recovery procedures. For security reasons, password recovery requires the administrator to have physical access to the router through a console cable.
Recovering a router password involves several steps.
Step 1. Connect to the console port.
Step 2. Use the show version command to view and record the configuration register.
The configuration register is similar to the BIOS setting of a computer, which controls the bootup process. A configuration register, represented by a single hexadecimal value, tells a router what specific steps to take when powered on. Configuration registers have many uses, and password recovery is probably the most used. To view and record the configuration register, use the show version command.
R1>show version
<Output omitted>
Configuration register is 0x2102
The configuration register is usually set to 0x2102 or 0x102. If there is no longer access to the router (because of a lost login or TACACS password), an administrator can safely assume that the configuration register is set to 0x2102.
Step 3. Use the power switch to power cycle the router.
Step 4. Issue the break sequence within 60 seconds of power up to put the router into ROMmon.
Step 5. Type confreg 0x2142 at the rommon 1> prompt.
This changes the default configuration register and causes the router to bypass the startup configuration where the forgotten enable password is stored.
Step 6. Type reset at the rommon 2> prompt. The router reboots, but ignores the saved configuration.
Step 7. Type no after each setup question, or press Ctrl-C to skip the initial setup procedure.
Step 8. Type enable at the Router> prompt. This puts the router into enable mode and allows you to see the Router# prompt.
Step 9. Type copy startup-config running-config to copy the NVRAM into memory. Be careful not to type copy running-config startup-config or the startup configuration will be erased.
Step 10. Type show running-config. In this configuration, the shutdown command appears under all interfaces because all interfaces are currently shut down. An administrator can now see the passwords (enable password, enable secret, vty, and console passwords) either in encrypted or unencrypted format. Unencrypted passwords can be reused, but encrypted passwords need a new password to be created.
Step 11. Enter global configuration and type the enable secret command to change the enable secret password. For example:
R1(config)# enable secret cisco
Step 12. Issue the no shutdown command on every interface to be used. Then issue the show ip interface brief command in privileged EXEC mode to confirm that the interface configuration is correct. Every interface to be used should display "up up."
Step 13. From global configuration mode type config-register configuration_register_setting. The configuration register setting is either the value recorded in step 2 or 0x2102 . For example:
R1(config)# config-register 0x2102
Step 14. Save the configuration changes using the copy running-config startup-config command.
Password recovery is now complete. Enter the show version command to confirm that the router is using the configured configuration register setting on the next reboot.
Implementing a router logging facility is an important part of any network security policy. Cisco routers can log information regarding configuration changes, ACL violations, interface status, and many other types of events. Cisco routers can send log messages to several different facilities. You should configure the router to send log messages to one or more of the following items.
Console - Console logging is on by default. Messages log to the console and can be viewed when modifying or testing the router using terminal emulation software while connected to the console port of the router.
Terminal lines - Enabled EXEC sessions can be configured to receive log messages on any terminal lines. Similar to console logging, this type of logging is not stored by the router and, therefore, is only valuable to the user on that line.
Buffered logging - Buffered logging is a little more useful as a security tool because log messages are stored in router memory for a time. However, events are cleared whenever the router is rebooted.
SNMP traps - Certain thresholds can be preconfigured on routers and other devices. Router events, such as exceeding a threshold, can be processed by the router and forwarded as SNMP traps to an external SNMP server. SNMP traps are a viable security logging facility but require the configuration and maintenance of an SNMP system.
Syslog - Cisco routers can be configured to forward log messages to an external syslog service. This service can reside on any number of servers or workstations, including Microsoft Windows and UNIX-based systems, or the Cisco Security MARS appliance. Syslog is the most popular message logging facility, because it provides long-term log storage capabilities and a central location for all router messages.
Cisco router log messages fall into one of eight levels. The lower the level number, the higher the severity level.
Cisco router log messages contain three main parts:
Timestamp
Log message name and severity level
Message text
Another common monitoring tool is SNMP. SNMP was developed to manage nodes, such as servers, workstations, routers, switches, hubs, and security appliances, on an IP network. SNMP is an Application Layer protocol that facilitates the exchange of management information between network devices. SNMP is part of the TCP/IP protocol suite. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. There are different versions of SNMP.
SNMP version 1 (SNMPv1) and SNMP version 2 (SNMPv2) are based on managers (network management systems [NMSs]), agents (managed nodes), and Management Information Bases (MIBs). In any configuration, at least one manager node runs SNMP management software. Network devices that need to be managed, such as switches, routers, servers, and workstations, are equipped with an SMNP agent software module. The agent is responsible for providing access to a local MIB of objects that reflects the resources and activity at its node. MIBs store data about the device operation and are meant to be available to authenticated remote users.
The SNMP manager can get information from the agent, and change, or set, information in the agent. Sets can change configuration variables in the agent device. Sets can also initiate actions in devices. A reply to a set indicates the new setting in the device. For example, a set can cause a router to reboot, send a configuration file, or receive a configuration file. SNMP traps enable an agent to notify the management station of significant events by sending an unsolicited SNMP message. The action of gets and sets are the vulnerabilities that open SNMP to attack.
NTP uses UDP port 123 and is documented in RFC 1305.
When determining whether to use a private clock synchronization versus a public clock, it is necessary to weigh the risks and benefits of both.
If a private master clock is implemented, it could be synchronized to Coordinated Universal Time (UTC) via satellite or radio. The administrator does need to ensure that the time source is valid and from a secure site; otherwise, it can introduce vulnerabilities. For example, an attacker can launch a DoS attack by sending bogus NTP data across the Internet to the network in an attempt to change the clocks on network devices, possibly causing digital certificates to become invalid. An attacker could attempt to confuse a network administrator during an attack by disrupting the clocks on network devices. This scenario would make it difficult for the network administrator to determine the order of syslog events on multiple devices.
Pulling the clock time from the Internet means that unsecured packets are allowed through the firewall. Many NTP servers on the Internet do not require any authentication of peers; therefore, the network administrator must trust that the clock itself is reliable, valid, and secure.
The communications (known as associations) between machines that run NTP are usually statically configured. Each device is given the IP address of NTP masters. Accurate timekeeping is possible by exchanging NTP messages between each pair of machines with an association. In an NTP configured network, one or more routers are designated as the master clock keeper (known as an NTP master) using the ntp master global configuration command.
NTP clients either contact the master or listen for messages from the master to synchronize their clocks. To contact the master, use the ntp server ntp-server-address command.
In a LAN environment, NTP can be configured to use IP broadcast messages instead by using the ntp broadcast client command. This alternative reduces configuration complexity because each machine can be configured to send or receive broadcast messages. The accuracy of timekeeping is marginally reduced because the information flow is one-way only.
Cisco routers are initially deployed with many services that are enabled by default. This is done for convenience and to simplify the configuration process required to get the device operational. However, some of these services can make the device vulnerable to attack if security is not enabled. Administrators can also enable services on Cisco routers that can expose the device to significant risk. Both of these scenarios must be taken into account when securing the network.
For example, Cisco Discovery Protocol (CDP) is an example of a service that is enabled by default in Cisco routers. It is used primarily to obtain protocol addresses of neighboring Cisco devices and to discover the platforms of those devices. Unfortunately, an attacker on the network can use CDP to discover devices on the local network. In addition, attackers do not need to have CDP-enabled devices. Readily available software, such as Cisco CDP Monitor, can be downloaded to gain the information. The intent of CDP is to make it easier for administrators to discover and troubleshoot other Cisco devices on the network. However, because of the security implications, the use of CDP should be deterministic. While it is an extremely helpful tool, it should not be everywhere in the network. Edge devices are an example of a device that should have this feature disabled.