Router security tips

Routers are used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.

Examine your guidance policies at least annually.

Why
Routers are used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.

Strategy
In an excellent two-page summary, NSA's System and Network Attack Center (SNAC)
Router Security Configuration Guide describes quick but effective ways to tighten
the security of a Cisco router -- principles that can be applied to all routers,
regardless of manufacturer.

General recommendations

Create and maintain a written router security policy. The policy should
identify who is allowed to log in to the router, who is allowed to configure and
update it, and should outline the logging and management practices for it.

Comment and organize offline master editions of your router configuration
files. Also, keep the offline copies of all router configurations in sync with the
actual configurations running on the routers, invaluable for diagnosing suspected
attacks and recovering from them.

Implement access lists that allow only those protocols, ports and IP addresses
that are required by network users and services, and that explicitly deny
everything else.

Run the latest available General Deployment (GD) IOS version.

Test the security of your routers regularly, especially after any major
configuration changes.

Router access recommendations

Shut down unneeded services on the router. Start by running the show proc
command on the router, then turn off clearly unneeded facilities and services. Some
servers that should almost always be turned off include: small services (echo,
discard, chargen, etc.), BOOTP, Finger, HTTP and SNMP. Services allowing certain
packets to pass through the router, or send special packets, or are used for remote
router configuration should also be off; these include CDP, remote config and
source routing.

Passwords can be configured more securely. Configure the Enable Secret password
protected with an MD5-based algorithm. Also, configure passwords for the console
line, the auxiliary line and the virtual terminal lines. Provide basic protection
for the user and line passwords using the service passwordencryption command.

0.0. Block broadcast packets.0. 10. network 127.254.) A number of remote probes and attacks use ICMP echo and redirect. 172. and allow only traffic destined for internal addresses to enter the router from the outside (external interfaces). it helps identify poorly configured internal hosts or networks. for example networks 0.16.0. these packets cannot be real. Besides preventing an attacker from using the router to attack other sites.0. and mask request messages.168. Access list recommendations Always start an access-list definition with the privileged command no access- list nnn to clear out any previous versions of access list number nnn.0/8.e. 169.0/16. If the network doesn't need IP multicast. block multicast packets. . untrusted network. Enforce traffic address restrictions using access lists.0. Incorporate this protection into the access lists applied to interfaces facing any untrusted networks. Drop incoming packets with loopback addresses. Incorporate this protection into the access list used to restrict incoming traffic into each nterface. if your router supports it.0/8. (Note that this may block DHCP and BOOTP services.0. allow only internal addresses to enter the router from the internal interfaces. Block incoming packets that claim to have a source address of any internal (trusted) networks. a 'Land' attack on the router itself). Adopt SSH. This protection should be part of the overall traffic filtering at the interface attached to the external.0. for all remote administration. On a border router.0. This impedes TCP sequence number guessing and other attacks. Block incoming packets claiming to have the same destination and source address (i. so block them.0/8. but these services shouldn't be used on external interfaces and shouldn't cross border routers. Block packets coming from the outside (untrusted networks) that are obviously fake or have source or destination addresses that are reserved.0/20 and 192.0/16. Block illegal addresses at the outgoing interfaces. This approach might not work for complicated networks.

CISM. More information One of the most useful and high-quality lists of Security Technical Implementation Guides (STIG) are at NSA's SNAC Web site. is a senior security network engineer with Verizon Federal Network Systems (FNS). Configure the router to include time information in the logging.Logging & debugging recommendations Turn on the router's logging capability and use it to log errors and blocked packets to an internal (trusted) syslog host. The June 2004 Cisco IOS Switch Security Configuration Guide and summary documents are also available on the site. . industry and academia. An information security professional for 17 years. Shelley Bard. If your network requires SNMP. Configure at least two different NTP servers to ensure availability of good time information. which allows an administrator to trace network attacks more accurately. Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS. special interest groups. then configure an SNMP ACL and hard-to-guess SNMP community strings. Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense. CISSP. Please e-mail any comments. Make sure that the router blocks syslog traffic from untrusted networks.