You are on page 1of 3

Router security tips

Routers are used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.

Examine your guidance policies at least annually.

Why
Routers are used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.

Strategy
In an excellent two-page summary, NSA's System and Network Attack Center (SNAC)
Router Security Configuration Guide describes quick but effective ways to tighten
the security of a Cisco router -- principles that can be applied to all routers,
regardless of manufacturer.

General recommendations

Create and maintain a written router security policy. The policy should
identify who is allowed to log in to the router, who is allowed to configure and
update it, and should outline the logging and management practices for it.

Comment and organize offline master editions of your router configuration
files. Also, keep the offline copies of all router configurations in sync with the
actual configurations running on the routers, invaluable for diagnosing suspected
attacks and recovering from them.

Implement access lists that allow only those protocols, ports and IP addresses
that are required by network users and services, and that explicitly deny
everything else.

Run the latest available General Deployment (GD) IOS version.

Test the security of your routers regularly, especially after any major
configuration changes.

Router access recommendations

Shut down unneeded services on the router. Start by running the show proc
command on the router, then turn off clearly unneeded facilities and services. Some
servers that should almost always be turned off include: small services (echo,
discard, chargen, etc.), BOOTP, Finger, HTTP and SNMP. Services allowing certain
packets to pass through the router, or send special packets, or are used for remote
router configuration should also be off; these include CDP, remote config and
source routing.

Passwords can be configured more securely. Configure the Enable Secret password
protected with an MD5-based algorithm. Also, configure passwords for the console
line, the auxiliary line and the virtual terminal lines. Provide basic protection
for the user and line passwords using the service passwordencryption command.

0/16. .0.0. This approach might not work for complicated networks. these packets cannot be real. so block them. Block broadcast packets.254. Block incoming packets that claim to have a source address of any internal (trusted) networks. Block illegal addresses at the outgoing interfaces. for example networks 0. allow only internal addresses to enter the router from the internal interfaces. Incorporate this protection into the access list used to restrict incoming traffic into each nterface. but these services shouldn't be used on external interfaces and shouldn't cross border routers.0/20 and 192. network 127. Drop incoming packets with loopback addresses.0.0. Block packets coming from the outside (untrusted networks) that are obviously fake or have source or destination addresses that are reserved.0/8. if your router supports it. Incorporate this protection into the access lists applied to interfaces facing any untrusted networks. This impedes TCP sequence number guessing and other attacks. Enforce traffic address restrictions using access lists. 10. 169.0.e. Adopt SSH. (Note that this may block DHCP and BOOTP services.0. Access list recommendations Always start an access-list definition with the privileged command no access- list nnn to clear out any previous versions of access list number nnn. 172. Block incoming packets claiming to have the same destination and source address (i. a 'Land' attack on the router itself).0/8.0. Besides preventing an attacker from using the router to attack other sites. for all remote administration. and allow only traffic destined for internal addresses to enter the router from the outside (external interfaces).168. it helps identify poorly configured internal hosts or networks.) A number of remote probes and attacks use ICMP echo and redirect.0/16. If the network doesn't need IP multicast. and mask request messages. On a border router.0. block multicast packets.0. This protection should be part of the overall traffic filtering at the interface attached to the external. untrusted network.16.0/8.

then configure an SNMP ACL and hard-to-guess SNMP community strings. Configure at least two different NTP servers to ensure availability of good time information. which allows an administrator to trace network attacks more accurately. Make sure that the router blocks syslog traffic from untrusted networks. special interest groups. Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense. Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS. More information One of the most useful and high-quality lists of Security Technical Implementation Guides (STIG) are at NSA's SNAC Web site. Configure the router to include time information in the logging. Shelley Bard.Logging & debugging recommendations Turn on the router's logging capability and use it to log errors and blocked packets to an internal (trusted) syslog host. Please e-mail any comments. The June 2004 Cisco IOS Switch Security Configuration Guide and summary documents are also available on the site. industry and academia. If your network requires SNMP. An information security professional for 17 years. CISM. . is a senior security network engineer with Verizon Federal Network Systems (FNS). CISSP.