You are on page 1of 3

Router security tips

Routers are used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.

Examine your guidance policies at least annually.

Why
Routers are used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.

Strategy
In an excellent two-page summary, NSA's System and Network Attack Center (SNAC)
Router Security Configuration Guide describes quick but effective ways to tighten
the security of a Cisco router -- principles that can be applied to all routers,
regardless of manufacturer.

General recommendations

Create and maintain a written router security policy. The policy should
identify who is allowed to log in to the router, who is allowed to configure and
update it, and should outline the logging and management practices for it.

Comment and organize offline master editions of your router configuration
files. Also, keep the offline copies of all router configurations in sync with the
actual configurations running on the routers, invaluable for diagnosing suspected
attacks and recovering from them.

Implement access lists that allow only those protocols, ports and IP addresses
that are required by network users and services, and that explicitly deny
everything else.

Run the latest available General Deployment (GD) IOS version.

Test the security of your routers regularly, especially after any major
configuration changes.

Router access recommendations

Shut down unneeded services on the router. Start by running the show proc
command on the router, then turn off clearly unneeded facilities and services. Some
servers that should almost always be turned off include: small services (echo,
discard, chargen, etc.), BOOTP, Finger, HTTP and SNMP. Services allowing certain
packets to pass through the router, or send special packets, or are used for remote
router configuration should also be off; these include CDP, remote config and
source routing.

Passwords can be configured more securely. Configure the Enable Secret password
protected with an MD5-based algorithm. Also, configure passwords for the console
line, the auxiliary line and the virtual terminal lines. Provide basic protection
for the user and line passwords using the service passwordencryption command.

0/20 and 192. and allow only traffic destined for internal addresses to enter the router from the outside (external interfaces). Block illegal addresses at the outgoing interfaces. Access list recommendations Always start an access-list definition with the privileged command no access- list nnn to clear out any previous versions of access list number nnn. 172. . Drop incoming packets with loopback addresses. Block broadcast packets. Besides preventing an attacker from using the router to attack other sites.0/8. for all remote administration. block multicast packets. it helps identify poorly configured internal hosts or networks.0.168.0/8.0. if your router supports it.0.0. Block incoming packets that claim to have a source address of any internal (trusted) networks.0. network 127.0. Enforce traffic address restrictions using access lists.0. allow only internal addresses to enter the router from the internal interfaces. Block incoming packets claiming to have the same destination and source address (i. Block packets coming from the outside (untrusted networks) that are obviously fake or have source or destination addresses that are reserved. and mask request messages.0/16. This impedes TCP sequence number guessing and other attacks.0. (Note that this may block DHCP and BOOTP services. a 'Land' attack on the router itself). these packets cannot be real.0.0/8. for example networks 0.0/16. 10.254. Incorporate this protection into the access list used to restrict incoming traffic into each nterface. If the network doesn't need IP multicast. 169. On a border router. Incorporate this protection into the access lists applied to interfaces facing any untrusted networks. untrusted network.e. This protection should be part of the overall traffic filtering at the interface attached to the external. Adopt SSH. so block them. This approach might not work for complicated networks. but these services shouldn't be used on external interfaces and shouldn't cross border routers.) A number of remote probes and attacks use ICMP echo and redirect.16.

Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense. . CISSP. An information security professional for 17 years. Shelley Bard. The June 2004 Cisco IOS Switch Security Configuration Guide and summary documents are also available on the site.Logging & debugging recommendations Turn on the router's logging capability and use it to log errors and blocked packets to an internal (trusted) syslog host. If your network requires SNMP. Make sure that the router blocks syslog traffic from untrusted networks. then configure an SNMP ACL and hard-to-guess SNMP community strings. CISM. Configure the router to include time information in the logging. special interest groups. Configure at least two different NTP servers to ensure availability of good time information. More information One of the most useful and high-quality lists of Security Technical Implementation Guides (STIG) are at NSA's SNAC Web site. Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS. which allows an administrator to trace network attacks more accurately. is a senior security network engineer with Verizon Federal Network Systems (FNS). Please e-mail any comments. industry and academia.