How To Secure Your Cisco Router Using Cisco AutoSecure Feature
In today’s complex network environments securing your network routers can be a daunting task, especially when there are so many CLI commands and parameters with different security implications for your Cisco router device.
Thankfully, since Cisco IOS version 12.3 and later, Cisco provides an easy way for administrators to lock down their Cisco router without entering complex commands and parameters. This feature was smartly introduced to help remove the complexity of the task and ensure the lock-down is performed according to Cisco’s best security practices.
The Cisco AutoSecure feature is available to all IOS version 12.3 and above and supported on all hardware platforms, including all newer Cisco 870, 880, 1800, 1900, 2800, 2900, 3800 and 3900 series routers.
To maximize flexibility the Cisco AutoSecure command supports two different modes depending on your needs and flexibility required:
AutoSecure Interactive Mode: This mode prompts the user with options to enable/disable services and other security features supported by the IOS version the router is running.
AutoSecure Non-Interactive Mode: Automatically executes the Cisco AutoSecure command using the recommended Cisco default settings (Cisco’s best security practices).
The Cisco AutoSecure Interactive mode provides greater control over security-related features than the non-interactive mode. However, when an administrator needs to quickly secure a router without much human intervention, the non-interactive mode is appropriate.
We’ll examine the practical difference between the two commands soon. For now, let’s take a look at the functions Cisco AutoSecure performs:
1. Disables the following Global Services:
- Finger
- PAD
- Small Servers
- Bootp
- HTTP service
- Identification Service
- CDP
- NTP
- Source Routing
2. Enables the following Global Services:
- Password-encryption service
- Tuning of scheduler interval/allocation
- TCP synwait-time
- TCP-keepalives-in and tcp-kepalives-out
- SPD configuration
- No ip unreachables for null 0
3. Disables the following services per interface:
- ICMP
- Proxy-Arp
- Directed Broadcast
- Disables MOP service
- Disables icmp unreachables
- Disables icmp mask reply messages.
4. Provides logging for security:
- Enables sequence numbers & timestamp
- Provides a console log
- Sets log buffered size
- Provides an interactive dialogue to configure the logging server ip address.
5. Secures access to the router:
- Checks for a banner and provides facility to add text to automatically configure:
- Login and password
- Transport input & output
- Exec-timeout
- Local AAA
- SSH timeout and ssh authentication-retries to minimum number
- Enable only SSH and SCP for access and file transfer to/from the router
- Disables SNMP If not being used
6. Secures the Forwarding Plane:
- Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
- Anti-spoofing
- Blocks all IANA reserved IP address blocks
- Blocks private address blocks if customer desires
- Installs a default route to NULL 0, if a default route is not being used
- Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
- Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image
- Enables NetFlow on software forwarding platforms
It is clear that the Cisco AutoSecure does a lot more than execute a couple of commands.
Configuring Cisco AutoSecure Interactive Mode
This happens to be the recommended mode for securing your Cisco router. When using the Cisco AutoSecure Interactive Mode, the router will prompt a number of questions regarding the current topology, how it is connected to the Internet, which interface connects to the Internet and so on. Providing this information is essential because it will be used by AutoSecure to lock-down the router and disable services as required by Cisco’s best security practices.
Below is the command required to initiate the AutoSecure Interactive mode feature. You can abort the session anytime by pressing Ctrl-C, or press ? to get help:
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.0.100 YES NVRAM up up
FastEthernet0/1 192.168.151.10 YES NVRAM up up
NVI0 10.0.0.100 YES unset up up
Enter the interface name that is facing the internet: FastEthernet0/1
Securing Management plane services...
Disabling service fingerDisabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Configure NTP Authentication? [yes]: no
Enter the new enable password: *****
% Invalid Password length - must contain 6 to 25 characters. Password configuration failed
Enter the new enable password: **********
Confirm the enable password: **********
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters
Blocking Period when Login Attack detected: 15
Maximum Login failures with the device: 3
Maximum time period for crossing the failed login attempts: 20
Configure SSH server? [yes]: no
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
Enabling unicast rpf on all interfaces connected to internet
Configure CBAC Firewall feature? [yes/no]: yes
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 11584B5643475D
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 15
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 15 attempts 3 within 20
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
access-list 101 permit udp any any eq bootpc
interface FastEthernet0/1
ip verify unicast source reachable-via rx allow-default 101
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/1
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]: yes
Applying the config generated to running-config
Notice the router rejected the initial enable password as it did not conform to the password security requirements
If at any point you would like to check the configuration changes made by the Cisco AutoSecure feature before saving them, you can use the show auto secure config command:
Configuring Cisco AutoSecure Non-Interactive Mode
The Non-interactive mode of Cisco’s AutoSecure is more of an ‘express’ setup feature, bypassing any user input and quickly securing the router using Cisco’s best security practices. Think of it as a quick-and-dirty lockdown mode!
Running the Non-Interactive AutoSecure mode is done by entering the auto secure no-interact command as shown below. The router will display some information and continue configuring itself:
R1# auto secure no-interact Below is the expected output once the auto secure non-interactive command is executed:
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***
AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
Securing Management plane services...
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol
Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces
Securing Forwarding plane services...
This is the configuration generated:
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
security passwords min-length 6
security authentication failure rate 10 log
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
!
end
Applying the config generated to running-config
R1#
Exploring Other Cisco AutoSecure Options
For those who like to explore all available options of the Cisco AutoSecure command, use the auto secure command, followed by a question mark ? as shown below:
firewall AutoSecure Firewall
forwarding Secure Forwarding Plane
full Interactive full session of AutoSecure
login AutoSecure Login
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
ntp AutoSecure NTP
ssh AutoSecure SSH
tcp-intercept AutoSecure TCP Intercept
Trying out different parameters and options will help gain a greater understanding of how AutoSecure works and the options it provides to help best secure your network.
Using the Cisco AutoSecure feature to secure your router(s) is a very simple task and one that should not be neglected, even by experienced network engineers. With the use of such features, one can create a configuration template with all necessary basic security measures taken into account.
Cisco provides a number of features that can help make an engineer’s every-day life more secure and hassle-free. It’s to our advantage to make the best of everything offered!
Your IP address:
3.133.153.110
Wi-Fi Key Generator
Follow Firewall.cx
Cisco Password Crack
Decrypt Cisco Type-7 Passwords on the fly!