Você está na página 1de 22

31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

CiscoIOSDevicesBestPractices
l admin } September28,2015 v 0Comments

m Cisco,RoutingandSwitching,Security

Thischecklistisacollectionofallthehardeningstepsthatarepresentedinthisguide.Administratorscanuseitasa
reminderofallthehardeningfeaturesusedandconsideredforaCiscoIOSdevice,evenifafeaturewasnotimplemented
becauseitdidnotapply.Administratorsareadvisedtoevaluateeachoptionforitspotentialriskbeforetheyimplementthe
option.

ManagementPlane

Passwords
EnableMD5hashing(secretoption)forenableandlocaluserpasswords
Configurethepasswordretrylockout
Disablepasswordrecovery(considerrisk)
Disableunusedservices
ConfigureTCPkeepalivesformanagementsessions
SetmemoryandCPUthresholdnotifications
Configure
MemoryandCPUthresholdnotifications
Reservememoryforconsoleaccess
Memoryleakdetector
Bufferoverflowdetection
Enhancedcrashinfocollection
UseiACLstorestrictmanagementaccess
Filter(considerrisk)
ICMPpackets
IPfragments
IPoptions
TTLvalueinpackets
ControlPlaneProtection
Configureportfiltering
Configurequeuethresholds
Managementaccess
UseManagementPlaneProtectiontorestrictmanagementinterfaces
Setexectimeout
Useanencryptedtransportprotocol(suchasSSH)forCLIaccess
Controltransportforvtyandttylines(accessclassoption)
Warnusingbanners
AAA
UseAAAforauthenticationandfallback
UseAAA(TACACS+)forcommandauthorization

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 1/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

UseAAAforaccounting
UseredundantAAAservers
SNMP
ConfigureSNMPv2communitiesandapplyACLs
ConfigureSNMPv3
Logging
Configurecentralizedlogging
Setlogginglevelsforallrelevantcomponents
Setloggingsourceinterface
Configureloggingtimestampgranularity
ConfigurationManagement
Replaceandrollback
ExclusiveConfigurationChangeAccess
Softwareresilienceconfiguration
Configurationchangenotifications

ControlPlane

Disable(considerrisk)
ICMPredirects
ICMPunreachables
ProxyARP
ConfigureNTPauthenticationifNTPisbeingused
ConfigureControlPlanePolicing/Protection(portfiltering,queuethresholds)
Secureroutingprotocols
BGP(TTL,MD5,maximumprefixes,prefixlists,systempathACLs)
IGP(MD5,passiveinterface,routefiltering,resourceconsumption)
Configurehardwareratelimiters
SecureFirstHopRedundancyProtocols(GLBP,HSRP,VRRP)

DataPlane

ConfigureIPOptionsSelectiveDrop
Disable(considerrisk)
IPsourcerouting
IPDirectedBroadcasts
ICMPredirects
LimitIPDirectedBroadcasts
ConfiguretACLs(considerrisk)
FilterICMP
FilterIPfragments
FilterIPoptions
FilterTTLvalues
Configurerequiredantispoofingprotections
ACLs
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 2/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

IPSourceGuard
DynamicARPInspection
UnicastRPF
Portsecurity
ControlPlaneProtection(controlplanecefexception)
ConfigureNetFlowandclassificationACLsfortrafficidentification
ConfigurerequiredaccesscontrolACLs(VLANmaps,PACLs,MAC)
ConfigurePrivateVLANs

Thethreefunctionalplanesofanetworkthemanagementplane,controlplane,anddataplaneeachprovidedifferent
functionalitythatneedstobeprotected.

ManagementPlaneThemanagementplanemanagestrafficthatissenttotheCiscoIOSdeviceandismadeupof
applicationsandprotocolssuchasSecureShell(SSH)andSimpleNetworkManagementProtocol(SNMP).
ControlPlaneThecontrolplaneofanetworkdeviceprocessesthetrafficthatisparamounttomaintainthe
functionalityofthenetworkinfrastructure.Thecontrolplaneconsistsofapplicationsandprotocolsbetweennetwork
devices,whichincludestheBorderGatewayProtocol(BGP),aswellastheInteriorGatewayProtocols(IGPs)suchas
theEnhancedInteriorGatewayRoutingProtocol(EIGRP)andOpenShortestPathFirst(OSPF).
DataPlaneThedataplaneforwardsdatathroughanetworkdevice.Thedataplanedoesnotincludetrafficthatissent
tothelocalCiscoIOSdevice.

ManagementPlane
listofprotocolsisusedbythemanagementplane:

SimpleNetworkManagementProtocol
Telnet
SecureShellProtocol
FileTransferProtocol
TrivialFileTransferProtocol
SecureCopyProtocol
TACACS+
RADIUS
NetFlow
NetworkTimeProtocol
Syslog

PasswordManagement
Theenablesecretcommandmustbeused,ratherthantheolderenablepasswordcommand
TheservicepasswordencryptionglobalconfigurationcommanddirectstheCiscoIOSsoftwaretoencryptthepasswords,
EnhancedPasswordSecurity
WiththeUsernamesecretcommand

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 3/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

LoginPasswordRetryLockout
aaanewmodel
aaalocalauthenticationattemptsmaxfail<maxattempts>
aaaauthenticationlogindefaultlocal
username<name>secret<password>

NoServicePasswordRecovery
theNoServicePasswordRecoveryfeaturedoesnotallowanyonewithconsoleaccesstoinsecurelyaccessthedevice
configurationandclearthepassword.Italsodoesnotallowmalicioususerstochangetheconfigurationregistervalueand
accessNVRAM.
noservicepasswordrecovery

DisableUnusedServices
Asasecuritybestpractice,anyunnecessaryservicemustbedisabled
noipfinger
noipbootpserver
ipdhcpbootpignore(disableBOOTP)
noservicedhcp
nomopenabled(disabletheMaintenanceOperationProtocol(MOP)service)
noipdomainlookup
noservicepad(PacketAssembler/Disassembler(PAD)service,whichisusedforX.25networks.)
noiphttpserver
noiphttpsecureserver
nocdpenable(interface)ornocdprun(global)
nolldptransmitandnolldpreceive(interface)ornolldprun(global)

EXECTimeout
linecon0
exectimeout<minutes>[seconds]
linevty04
exectimeout<minutes>[seconds]

KeepalivesforTCPSessions
servicetcpkeepalivesin
servicetcpkeepalivesout

ManagementInterfaceUse
Oneofthemostcommoninterfacesthatisusedforinbandaccesstoadeviceisthelogicalloopbackinterface.Loopback
interfacesarealwaysup,whereasphysicalinterfacescanchangestate,andtheinterfacecanpotentiallynotbeaccessible.
Itisrecommendedtoaddaloopbackinterfacetoeachdeviceasamanagementinterfaceandthatitbeusedexclusively
forthemanagementplane
Oncetheloopbackinterfaceisconfiguredonadevice,itcanbeusedbymanagementplaneprotocols,suchasSSH,
SNMP,andsyslog,inordertosendandreceivetraffic
interfaceLoopback0

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 4/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

ipaddress192.168.1.1255.255.255.0

MemoryThresholdNotifications
memoryfreelowwatermarkprocessor<threshold>
memoryfreelowwatermarkio<threshold>
memoryreservecritical<value>

CPUThresholdingNotification
snmpserverenabletrapscputhreshold
snmpserverhost<hostaddress><communitystring>cpu
processcputhresholdtype<type>rising<percentage>interval<seconds>
[falling<percentage>interval<seconds>]
processcpustatisticslimitentrypercentage<number>[size<seconds>]

ReserveMemoryforConsoleAccess
memoryreserveconsole4096

MemoryLeakDetector
showmemorydebugleaks

BufferOverflow:DetectionandCorrectionofRedzoneCorruption
exceptionmemoryignoreoverflowio
exceptionmemoryignoreoverflowprocessor
Onceconfigured,theshowmemoryoverflowcommand

NetworkTimeProtocol
NTPTimeZone
NTPAuthentication

LimitAccesstotheNetworkwithInfrastructureACLs
AniACLisconstructedandappliedinordertospecifyconnectionsfromhostsornetworksthatneedtobeallowedto
networkdevices.CommonexamplesofthesetypesofconnectionsareeBGP,SSH,andSNMP.Aftertherequired
connectionshavebeenpermitted,allothertraffictotheinfrastructureisexplicitlydenied.Alltransittrafficthatcrossesthe
networkandisnotdestinedtoinfrastructuredevicesisthenexplicitlypermitted.Example:
ipaccesslistextendedACLINFRASTRUCTUREIN
!Permitrequiredconnectionsforroutingprotocolsand
networkmanagement
permittcphost<trustedebgppeer>host<localebgpaddress>eq179
permittcphost<trustedebgppeer>eq179host<localebgpaddress>
permittcphost<trustedmanagementstations>anyeq22
permitudphost<trustednetmgmtservers>anyeq161
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 5/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

!Permittransittraffic
permitipanyany

ICMPPacketFiltering
ipaccesslistextendedACLINFRASTRUCTUREIN
PermitICMPEcho(ping)fromtrustedmanagementstationsandservers
permiticmphost<trustedmanagementstations>anyecho
permiticmphost<trustednetmgmtservers>anyecho
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany
FilterIPFragments
ipaccesslistextendedACLFRAGMENTEXAMPLE
permittcpanyhost192.168.1.1eq80
denytcpanyhost192.168.1.1eq22

ipaccesslistextendedACLINFRASTRUCTUREIN
!DenyIPfragmentsusingprotocolspecificACEstoaidin
!classificationofattacktraffic
denytcpanyanyfragments
denyudpanyanyfragments
denyicmpanyanyfragments
denyipanyanyfragments
!DenyallotherIPtraffictoanynetworkdevice
denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany

ACLSupporttoFilteronTTLValue

Thegenerationandtransmissionofthesemessagesisanexceptionprocess.Routerscanperformthisfunctionwhenthe
numberofIPpacketsthatareduetoexpireislow,butifthenumberofpacketsduetoexpireishigh,generationand
transmissionofthesemessagescanconsumeallavailableCPUresources.ThispresentsaDoSattackvector.Itisforthis
reasonthatdevicesneedtobehardenedagainstDoSattacksthatutilizeahighrateofIPpacketsthatareduetoexpire.

ItisrecommendedthatorganizationsfilterIPpacketswithlowTTLvaluesattheedgeofthenetwork.Completelyfiltering
packetswithTTLvaluesinsufficienttotraversethenetworkmitigatesthethreatofTTLbasedattacks.

ThisexampleACLfilterspacketswithTTLvalueslessthansix.ThisprovidesprotectionagainstTTLexpiryattacksfor
networksuptofivehopsinwidth.

ipaccesslistextendedACLINFRASTRUCTUREIN
!DenyIPpacketswithTTLvaluesinsufficienttotraversethenetwork
denyipanyanyttllt6
!DenyallotherIPtraffictoanynetworkdevice

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 6/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

denyipany<infrastructureaddressspace><mask>
!Permittransittraffic
permitipanyany

SecureInteractiveManagementSessions
ManagementPlaneProtection(MPP)allowsanadministratortorestrictonwhichinterfacesmanagementtrafficcanbe
receivedbyadevice
controlplanehost
managementinterfaceGigabitEthernet0/1allowsshhttps

EncryptManagementSessions
ipdomainnameexample.com
cryptokeygeneratersamodulus2048
ipsshversion2ornot
ipsshtimeout60
ipsshauthenticationretries3
ipsshsourceinterfaceGigabitEthernet0/1
linevty04
transportinputssh
!
ipscpserverenable
!
iphttpsecureserver

ThisexampleconfigurationenablestheuseofRSAkeyswithSSHv2onaCiscoIOSdevice:
!Configureahostnameforthedevice
hostnamerouter
!Configureadomainname
ipdomainnamecisco.com
!SpecifythenameoftheRSAkeypair(inthiscase,sshkeys)touseforSSH
ipsshrsakeypairnamesshkeys
!EnabletheSSHserverforlocalandremoteauthenticationontherouterusing
!thecryptokeygeneratecommand
!ForSSHversion2,themodulussizemustbeatleast768bits

cryptokeygeneratersausagekeyslabelsshkeysmodulus2048
!Configureansshtimeout(inseconds)
!Thefollowingenablesatimeoutof120secondsforSSHconnections
ipsshtimeout120
!Configurealimitoffive(5)authenticationretries
ipsshauthenticationretries5

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 7/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

!ConfigureSSHversion2
ipsshversion2

RefertoSecureShellVersion2EnhancementsforRSAKeysformoreinformationontheuseofRSAkeyswithSSHv2.

ThisexampleconfigurationenablestheCiscoIOSSSHservertoperformRSAbaseduserauthentication.Theuser
authenticationissuccessfuliftheRSApublickeystoredontheserverisverifiedwiththepublicortheprivatekeypair
storedontheclient.

!Configureahostnameforthedevice
hostnamerouter
!Configureadomainname
ipdomainnamecisco.com
!GenerateRSAkeypairsusingamodulusof2048bits
cryptokeygeneratersamodulus2048
!ConfigureSSHRSAkeysforuserandserverauthenticationontheSSHserver
ipsshpubkeychain
!ConfiguretheSSHusername
usernamesshuser
!SpecifytheRSApublickeyoftheremotepeer
!Youmustthenconfigureeitherthekeystringcommand
!(followedbytheRSApublickeyoftheremotepeer)orthe
keyhashcommand(followedbytheSSHkeytypeandversion.)

RefertoConfiguringtheCiscoIOSSSHServertoPerformRSABasedUserAuthenticationformoreinformationontheuse
ofRSAkeyswithSSHv2.

ThisexampleconfigurationenablestheCiscoIOSSSHclienttoperformRSAbasedserverauthentication.

hostnamerouter
ipdomainnamecisco.c
!GenerateRSAkeypairs
cryptokeygeneratersa
!ConfigureSSHRSAkeysforuserandserverauthenticationontheSSHserver
ipsshpubkeychain
!EnabletheSSHserverforpublickeyauthenticationontherouter
serverSSHservername
!SpecifytheRSApublickeyoftheremotepeer
!Youmustthenconfigureeitherthekeystringcommand
!(followedbytheRSApublickeyoftheremotepeer)orthe
keyhash<keytype><keyname>command(followedbytheSSHkey
!typeandversion.)
!EnsurethatserverauthenticationtakesplaceTheconnectionwillbe
!terminatedonafailure
ipsshstricthostkeycheck

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 8/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

ConsoleandAUXPorts
lineaux0
transportinputnoneortransportinputssh.
transportoutputnoneortransportoutputssh.
noexec
exectimeout01
nopassword

(transportinputoraccessclassconfiguration)IPSeccanbeusedforencryptedandsecureremoteaccessconnections
toadevice,ifsupported.IfyouuseIPSec,italsoaddsadditionalCPUoverheadtothedevice.However,SSHmuststillbe
enforcedasthetransportevenwhenIPSecisused.

WarningBanners
Noticethatthesystemistobeloggedintoorusedonlybyspecificallyauthorizedpersonnelandperhapsinformationabout
whocanauthorizeuse.
Noticethatanyunauthorizeduseofthesystemisunlawfulandcanbesubjecttocivilandcriminalpenalties.
Noticethatanyuseofthesystemcanbeloggedormonitoredwithoutfurthernoticeandthattheresultinglogscanbeused
asevidenceincourt.
Specificnoticesrequiredbylocallaws
Authentication,Authorization,andAccounting
aaanewmodel
aaaauthenticationlogindefaultgrouptacacs+
tacacsserverhost<ipaddressoftacacsserver>
tacacsserverkey<key>

AuthenticationFallback(ifAAAbecomeunavailable)
enablesecret<password>

UseofType7Passwords
DONTUSEIT

TACACS+CommandAuthorization(Example)
aaaauthorizationexecdefaultgrouptacacsnone
aaaauthorizationcommands0defaultgrouptacacsnone
aaaauthorizationcommands1defaultgrouptacacsnone
aaaauthorizationcommands15defaultgrouptacacsnone
or
aaaaccountingexecdefaultstartstopgrouptacacs
aaaaccountingcommands0defaultstartstopgrouptacacs
aaaaccountingcommands1defaultstartstopgrouptacacs
aaaaccountingcommands15defaultstartstopgrouptacacs

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 9/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

RedundantAAAServers

AvailabilityofAAAserversduringpotentialnetworkfailures
GeographicallydispersedplacementofAAAservers
LoadonindividualAAAserversinsteadystateandfailureconditions
NetworklatencybetweenNetworkAccessServersandAAAservers
AAAserverdatabasessynchronization

FortifytheSimpleNetworkManagementProtocol
ItiscriticalthatSNMPbeproperlysecuredinordertoprotecttheconfidentiality,integrity,andavailabilityofboththe
networkdataandthenetworkdevicesthroughwhichthisdatatransits.SNMPprovidesyouwithawealthofinformationon
thehealthofnetworkdevices.Thisinformationshouldbeprotectedfrommalicioususersthatwanttoleveragethisdatain
ordertoperformattacksagainstthenetwork.

SNMPCommunityStrings
snmpservercommunityREADONLYRO
snmpservercommunityREADWRITERW

SNMPCommunityStringswithACLs
accesslist98permit192.168.100.00.0.0.255
accesslist99permit192.168.100.1
snmpservercommunityREADONLYRO98
snmpservercommunityREADWRITERW99

SNMPViews
SNMPViewsareasecurityfeaturethatcanpermitordenyaccesstocertainSNMPMIBs(ManagementInformationBase
)
snmpserverviewVIEWSYSTEMONLYsysteminclude
snmpservercommunityLIMITEDviewVIEWSYSTEMONLYRO

SNMPVersion3

noauthThismodedoesnotrequireanyauthenticationnoranyencryptionofSNMPpackets
authThismoderequiresauthenticationoftheSNMPpacketwithoutencryption
privThismoderequiresbothauthenticationandencryption(privacy)ofeachSNMPpacket

AnauthoritativeengineIDmustexistinordertousetheSNMPv3securitymechanisms
#showsnmpengineID

Note:IftheengineIDischanged,allSNMPuseraccountsmustbereconfigured.

ThenextstepistoconfigureanSNMPv3group
snmpservergroupAUTHGROUPv3auth
ThiscommandconfiguresaCiscoIOSdeviceforSNMPv3withanSNMPservergroupPRIVGROUPandenablesboth
authenticationandencryptionforthisgroupwiththeprivkeyword
snmpservergroupPRIVGROUPv3priv
ThiscommandconfiguresanSNMPv3usersnmpv3userwithanMD5authenticationpasswordofauthpasswordanda

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 10/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

3DESencryptionpasswordofprivpassword
snmpserverusersnmpv3userPRIVGROUPv3authmd5authpasswordpriv3des
privpassword
ThiscommandconfiguresanSNMPv3usersnmpv3userwithanMD5authenticationpasswordofauthpasswordanda
3DESencryptionpasswordofprivpassword

ManagementPlaneProtection(MPP)
controlplanehost
managementinterfaceFastEthernet0/0allow(options)

LoggingBestPractices

SendLogstoaCentralLocation
logginghost<ipaddress>
OronaNonVolativeDisk
loggingbuffered
loggingpersistenturldisk0:/syslogsize134217728filesize16384

LoggingLevel(07)
Theglobalconfigurationcommandloggingtraplevelisusedinordertospecifywhichloggingmessagesaresentto
remotesyslogservers.Thelevelspecifiedindicatesthelowestseveritymessagethatissent.Forbufferedlogging,
theloggingbufferedlevelcommandisused.
loggingtrap6
loggingbuffered6

DoNotLogtoConsoleorMonitorSessions
nologgingconsole
nologgingmonitor

UseBufferedLogging
loggingbuffered163846
ConfigureLoggingSourceInterface
loggingsourceinterfaceLoopback0
ConfigureLoggingTimestamps
servicetimestampslogdatetimemsecshowtimezone
clocktimezonePST8
servicetimestampslogdatetimemseclocaltimeshowtimezone

ConfigurationReplaceandConfigurationRollback
archive
pathdisk0:archivedconfig

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 11/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

maximum14
timeperiod1440
writememory

ExclusiveConfigurationChangeAccess
configurationmodeexclusiveauto

CiscoIOSSoftwareResilientConfiguration
securebootimage
securebootconfig!

ConfigurationChangeNotificationandLogging
archive
logconfig
loggingenable
loggingsize200
hidekeys
notifysyslog

ControlPlane
Controlplanefunctionsconsistoftheprotocolsandprocessesthatcommunicatebetweennetworkdevicesinorderto
movedatafromsourcetodestination.ThisincludesroutingprotocolssuchastheBorderGatewayProtocol,aswellas
protocolslikeICMPandtheResourceReservationProtocol(RSVP).youcandisablethereceptionandtransmissionof
certaintypesofmessagesonaninterfaceinordertominimizetheamountofCPUloadthatisrequiredtoprocess
unneededpackets

IPICMPRedirects
noipredirects

ICMPUnreachables
noipunreachables
ipicmpratelimitunreachable

ProxyARP
noipproxyarp

LimitCPUImpactofControlPlaneTraffic

InorderproperlyprotectthecontrolplaneoftheCiscoIOSdevice,itisessentialtounderstandthetypesoftrafficthatis
processswitchedbytheCPU.Processswitchedtrafficnormallyconsistsoftwodifferenttypesoftraffic.Thefirsttypeof
trafficisdirectedtotheCiscoIOSdeviceandmustbehandleddirectlybytheCiscoIOSdeviceCPU.Thistrafficconsists
ofthiscategory:
http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 12/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

Receiveadjacencytraffic(showipcef)
AccessControlListlogging
UnicastReversePathForwarding(UnicastRPF)
IPOptions
Fragmentation
Timetolive(TTL)Expiry
ICMPUnreachables
TrafficRequiringanARPRequest
NonIPTraffic

ControlPlanePolicing
DroppingtrafficfromunknownoruntrustedIPaddressescanpreventhostswithdynamicallyassignedIPaddressesfrom
connectingtotheCiscoIOSdevice

ControlPlaneProtection

PortfilteringfeatureThisfeatureprovidesforpolicinganddroppingofpacketsthataresenttoclosedornonlistening
TCPorUDPports.
QueuethresholdingfeatureThisfeaturelimitsthenumberofpacketsforaspecifiedprotocolthatareallowedinthe
controlplaneIPinputqueue.

SecureBGP

TheBorderGatewayProtocol(BGP)istheroutingfoundationoftheInternet.Assuch,anyorganizationwithmorethan
modestconnectivityrequirementsoftenusesBGP.BGPisoftentargetedbyattackersbecauseofitsubiquityandthe?set
andforget?natureofBGPconfigurationsinsmallerorganizations.However,therearemanyBGPspecificsecurityfeatures
thatcanbeleveragedtoincreasethesecurityofaBGPconfiguration.

TTLbasedSecurityProtections
Thisfeatureoftenrequirescoordinationfrompeeringroutershowever,onceenabled,itcancompletelydefeatmanyTCP
basedattacksagainstBGP
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>ttlsecurityhops<hopcount>

BGPPeerAuthenticationwithMD5
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>password<secret>

ConfigureMaximumPrefixes
routerbgp<asn>
neighbor<ipaddress>remoteas<remoteasn>
neighbor<ipaddress>maximumprefix<shutdownthreshold><logpercent>

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 13/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

FilterBGPPrefixeswithPrefixLists
PrefixlistsallowanetworkadministratortopermitordenyspecificprefixesthataresentorreceivedviaBGP.Prefixlists
shouldbeusedwherepossibleinordertoensurenetworktrafficissentovertheintendedpaths.Prefixlistsshouldbe
appliedtoeacheBGPpeerinboththeinboundandoutbounddirections
ipprefixlistBGPPLINBOUNDseq5permit0.0.0.0/0
ipprefixlistBGPPLOUTBOUNDseq5permit192.168.2.0/24
routerbgp<asn>
neighbor<ipaddress>prefixlistBGPPLINBOUNDin
neighbor<ipaddress>prefixlistBGPPLOUTBOUNDout

FilterBGPPrefixeswithAutonomousSystemPathAccessLists
ipaspathaccesslist1permit^65501$
ipaspathaccesslist2permit^$
routerbgp<asn>
neighbor<ipaddress>remoteas65501
neighbor<ipaddress>filterlist1in
neighbor<ipaddress>filterlist2out

SecureInteriorGatewayProtocols

RoutingProtocolAuthenticationandVerificationwithMessageDigest5

ThisisanexampleconfigurationforEIGRProuterauthenticationusingMD5:

keychain<keyname>
key<keyidentifier>
keystring<password>
interface<interface>
ipauthenticationmodeeigrp<asnumber>md5
ipauthenticationkeychaineigrp<asnumber><keyname>

ThisisanexampleMD5routerauthenticationconfigurationforRIPv2.RIPv1doesnotsupportauthentication.

keychain<keyname>
key<keyidentifier>
keystring<password>
interface<interface>
ipripauthenticationmodemd5
ipripauthenticationkeychain<keyname>

ThisisanexampleconfigurationforOSPFrouterauthenticationusingMD5.OSPFdoesnotutilizeKeyChains.

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 14/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

interface<interface>
ipospfmessagedigestkey<keyid>md5<password>
routerospf<processid>
network10.0.0.00.255.255.255area0
area0authenticationmessagedigest

PassiveInterfaceCommands
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>

RouteFiltering
EIGRPandRIP,usageofthedistributelistcommandwiththeoutkeywordlimitswhatinformationisadvertised,while
usageoftheinkeywordlimitswhatupdatesareprocessed.ThedistributelistcommandisavailableforOSPF,butitdoes
notpreventarouterfrompropagatingfilteredroutes.Instead,theareafilterlistcommandcanbeused.

ThisEIGRPexamplefiltersoutboundadvertisementswiththedistributelistcommandandaprefixlist:

ipprefixlist<listname>seq10permit<prefix>
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>
distributelistprefix<listname>out<interface>

ThisEIGRPexamplefiltersinboundupdateswithaprefixlist:

ipprefixlist<listname>seq10permit<prefix>
routereigrp<asnumber>
passiveinterfacedefault
nopassiveinterface<interface>
distributelistprefix<listname>in<interface>

ThisOSPFexampleusesaprefixlistwiththeOSPFspecificareafilterlistcommand:

ipprefixlist<listname>seq10permit<prefix>
routerospf<processid>
area<areaid>filterlistprefix<listname>in

RoutingProcessResourceConsumption
RoutingProtocolprefixesarestoredbyarouterinmemory,andresourceconsumptionincreaseswithadditionalprefixes
thataroutermusthold.Inordertopreventresourceexhaustion,itisimportanttoconfiguretheroutingprotocoltolimit
resourceconsumption.ThisispossiblewithOSPFifyouusetheLinkStateDatabaseOverloadProtectionfeature
routerospf<processid>
maxlsa<maximumnumber>

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 15/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

SecureFirstHopRedundancyProtocols
TheGatewayLoadBalancingProtocol(GLBP),HotStandbyRouterProtocol(HSRP),andVirtualRouterRedundancy
Protocol(VRRP)areallFHRPs.Bydefault,theseprotocolscommunicatewithunauthenticatedcommunications.Inorderto
preventthistypeofattack,allFHRPsthataresupportedbyCiscoIOSsoftwareincludeanauthenticationcapabilitywith
eitherMD5ortextstrings.BecauseofthethreatposedbyunauthenticatedFHRPs,itisrecommendedthatinstancesof
theseprotocolsuseMD5authentication
interfaceFastEthernet1
description***GLBPAuthentication***
glbp1authenticationmd5keystring<glbpsecret>
glbp1ip10.1.1.1

interfaceFastEthernet2
description***HSRPAuthentication***
standby1authenticationmd5keystring<hsrpsecret>
standby1ip10.2.2.1

interfaceFastEthernet3
description***VRRPAuthentication***
vrrp1authenticationmd5keystring<vrrpsecret>
vrrp1ip10.3.3.1

DataPlane
Althoughthedataplaneisresponsibleformovingdatafromsourcetodestination,withinthecontextofsecurity,thedata
planeistheleastimportantofthethreeplanes.Itisforthisreasonthatitisimportanttoprotectthemanagementand
controlplanesinpreferenceoverthedataplanewhenyousecureanetworkdevice

IPOptionsSelectiveDrop
TherearetwosecurityconcernspresentedbyIPoptions.TrafficthatcontainsIPoptionsmustbeprocessswitchedby
CiscoIOSdevices,whichcanleadtoelevatedCPUload.IPoptionsalsoincludethefunctionalitytoalterthepaththat
traffictakesthroughthenetwork,whichpotentiallyallowsittosubvertsecuritycontrols
ipoptions{drop|ignore}

DisableIPSourceRouting
IfIPoptionshavenotbeencompletelydisabledviatheIPOptionsSelectiveDropfeature,itisimportantthatIPsource
routingisdisabled.
noipsourceroute

DisableICMPRedirects
interfaceFastEthernet0
noipredirects

DisableorLimitIPDirectedBroadcasts
Ifanetworkabsolutelyrequiresdirectedbroadcastfunctionality,itsuseshouldbecontrolled.Thisispossiblewiththeuse
ofanaccesscontrollistasanoptiontotheipdirectedbroadcastcommand

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 16/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

accesslist100permitudp192.168.1.00.0.0.255any
interfaceFastEthernet0
ipdirectedbroadcast100

FilterTransitTrafficwithTransitACLs
ItispossibletocontrolwhattraffictransitsthenetworkwiththeuseoftransitACLs(tACLs).Thisisincontrastto
infrastructureACLsthatseektofiltertrafficthatisdestinedtothenetworkitself.ThefilteringprovidedbytACLsis
beneficialwhenitisdesirabletofiltertraffictoaparticulargroupofdevicesortrafficthattransitsthenetwork

ICMPPacketFiltering
ipaccesslistextendedACLTRANSITIN
!PermitICMPpacketsfromtrustednetworksonly
permiticmphost<trustednetworks>any
!DenyallotherIPtraffictoanynetworkdevice
denyicmpanyany

FilterIPFragments
ipaccesslistextendedACLTRANSITIN
!DenyIPfragmentsusingprotocolspecificACEstoaidin
!classificationofattacktraffic
denytcpanyanyfragments
denyudpanyanyfragments
denyicmpanyanyfragments
denyipanyanyfragments

ACLSupportforFilteringIPOptions
ipaccesslistextendedACLTRANSITIN
!DenyIPpacketscontainingIPoptions
denyipanyanyoptionanyoptions

AntiSpoofingProtections
ManyattacksusesourceIPaddressspoofingtobeeffectiveortoconcealthetruesourceofanattackandhinderaccurate
traceback.CiscoIOSsoftwareprovidesUnicastRPFandIPSourceGuard(IPSG)inordertodeterattacksthatrelyon
sourceIPaddressspoofing.Inaddition,ACLsandnullroutingareoftendeployedasamanualmeansofspoofing
prevention.

UnicastRPF
UnicastRPFenablesadevicetoverifythatthesourceaddressofaforwardedpacketcanbereachedthroughtheinterface
thatreceivedthepacket.YoumustnotrelyonUnicastRPFastheonlyprotectionagainstspoofing.Spoofedpacketscould
enterthenetworkthroughaUnicastRPFenabledinterfaceifanappropriatereturnroutetothesourceIPaddressexists.

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 17/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

UnicastRPFreliesonyoutoenableCiscoExpressForwardingoneachdeviceandisconfiguredonaperinterfacebasis
ipcef
interface<interface>
ipverifyunicastsourcereachablevia<mode>

IPSourceGuard
IPSourceGuardisaneffectivemeansofspoofingpreventionthatcanbeusedifyouhavecontroloverLayer2interfaces.
IPSourceGuardusesinformationfromDHCPsnoopingtodynamicallyconfigureaportaccesscontrollist(PACL)onthe
Layer2interface,denyinganytrafficfromIPaddressesthatarenotassociatedintheIPsourcebindingtable.
ipdhcpsnooping
ipdhcpsnoopingvlan<vlanrange>
afterDHCPsnoopingisenabled,thesecommandsenableIPSG:
interface<interfaceid>
ipverifysource

PortSecurity
Portsecuritycanbeenabledwiththeipverifysourceportsecurityinterfaceconfigurationcommand.Thisrequiresthe
globalconfigurationcommandipdhcpsnoopinginformationoptionadditionally,theDHCPservermustsupportDHCP
option82.
interface<interface>
switchport
switchportmodeaccess
switchportportsecurity
switchportportsecuritymacaddresssticky
switchportportsecuritymaximum<number>
switchportportsecurityviolation<violationmode>

DynamicARPInspection
DynamicARPInspection(DAI)canbeusedinordertomitigateARPpoisoningattacksonlocalsegments.AnARP
poisoningattackisamethodinwhichanattackersendsfalsifiedARPinformationtoalocalsegment.Thisinformationis
designedinordertocorrupttheARPcacheofotherdevices.OftenanattackerusesARPpoisoninginordertoperforma
maninthemiddleattack.

ipdhcpsnooping
ipdhcpsnoopingvlan<vlanrange>
OnceDHCPsnoopinghasbeenenabled,thesecommandsenableDAI:
iparpinspectionvlan<vlanrange>
InnonDHCPenvironments,ARPACLsarerequiredtoenableDAI.Thisexampledemonstratesthebasic
configurationofDAIwithARPACLs:
arpaccesslist<aclname>
permitiphost<senderip>machost<sendermac>
iparpinspectionfilter<arpaclname>vlan<vlanrange>

AntiSpoofingACLs
ManuallyconfiguredACLscanprovidestaticantispoofingprotectionagainstattacksthatuseknownunusedanduntrusted

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 18/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

addressspace.Commonly,theseantispoofingACLsareappliedtoingresstrafficatnetworkboundariesasacomponentof
alargerACL.AntispoofingACLsrequireregularmonitoringbecausetheycanfrequentlychange.Spoofingcanbe
minimizedintrafficthatoriginatesfromthelocalnetworkifyouapplyoutboundACLsthatlimitthetraffictovalidlocal
addresses.

LimitCPUImpactofDataPlaneTraffic
Theprimarypurposeofroutersandswitchesistoforwardpacketsandframesthroughthedeviceonwardtofinal
destinations.Thesepackets,whichtransitthedevicesdeployedthroughoutthenetwork,canimpactCPUoperationsofa
device.Thedataplane,whichconsistsoftrafficthattransitsthenetworkdevice,shouldbesecuredtoensuretheoperation
ofthemanagementandcontrolplanes.Iftransittrafficcancauseadevicetoprocessswitchtraffic,thecontrolplaneofa
devicecanbeaffectedwhichmayleadtoanoperationaldisruption

TrafficIdentificationandTraceback
Attimes,youcanneedtoquicklyidentifyandtracebacknetworktraffic,especiallyduringincidentresponseorpoornetwork
performance.NetFlowandClassificationACLsarethetwoprimarymethodstoaccomplishthiswithCiscoIOSsoftware.
NetFlowcanprovidevisibilityintoalltrafficonthenetwork.Additionally,NetFlowcanbeimplementedwithcollectorsthat
canprovidelongtermtrendingandautomatedanalysis.ClassificationACLsareacomponentofACLsandrequirepre
planningtoidentifyspecifictrafficandmanualinterventionduringanalysis.Thesesectionsprovideabriefoverviewofeach
feature

NetFlow
CEF,ordistributedCEF,isaprerequisitetoenablingNetFlow.NetFlowcanbeconfiguredonroutersandswitches
ipflowexportdestination<ipaddress><udpport>
ipflowexportversion<version>
interface<interface>
ipflow<ingess|egress>

ClassificationACLs
AnadministratorcanexpediteanincidentresponsebyusingclassificationACLswiththeshowaccesslistandclearip
accesslistcountersEXECcommands

ipaccesslistextendedACLSMBCLASSIFY
remarkExistingcontentsofACL
remarkClassificationofSMBspecificTCPtraffic
denytcpanyanyeq139
denytcpanyanyeq445
denyipanyany

showaccesslistACLSMBCLASSIFY

AccessControlwithVLANMapsandPortAccessControlLists
VACLs,orVLANmapsthatapplytoallpacketsthatentertheVLAN,providethecapabilitytoenforceaccesscontrolon
intraVLANtraffic.ThisisnotpossiblewithACLsonroutedinterfaces.Forexample,aVLANmapmightbeusedinorderto
preventhoststhatarecontainedwithinthesameVLANfromcommunicationwitheachother,whichreducesopportunities
forlocalattackersorwormstoexploitahostonthesamenetworksegment.InordertodenypacketsfromusingaVLAN
map,youcancreateanaccesscontrollist(ACL)thatmatchesthetrafficand,intheVLANmap,settheactiontodrop.

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 19/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

OnceaVLANmapisconfigured,allpacketsthatentertheLANaresequentiallyevaluatedagainsttheconfiguredVLAN
map.VLANaccessmapssupportIPv4andMACaccesslistshowever,theydonotsupportloggingorIPv6ACLs.

ipaccesslistextended<aclname>
permit<protocol><sourceaddress><sourceport><destinationaddress>
<destinationport>
vlanaccessmap<name><number>
matchipaddress<aclname>
action<drop|forward>
ThisexampledemonstratestheuseofaVLANmapinordertodenyTCPports139and445aswellasthevinesip
protocol:

ipaccesslistextendedVACLMATCHANY
permitipanyany
ipaccesslistextendedVACLMATCHPORTS
permittcp192.168.1.00.0.0.255192.168.1.00.0.0.255eq445
permittcp192.168.1.00.0.0.255192.168.1.00.0.0.255eq139
macaccesslistextendedVACLMATCHVINES
permitanyanyvinesip
vlanaccessmapVACL10
matchipaddressVACLMATCHVINES
actiondrop
vlanaccessmapVACL20
matchipaddressVACLMATCHPORTS
actiondrop
vlanaccessmapVACL30
matchipaddressVACLMATCHANY
actionforward
vlanfilterVACLvlan100

AccessControlwithPACLs(PortsACL)
ipaccesslistextended<aclname>
permit<protocol><sourceaddress><sourceport><destinationaddress>
<destinationport>
interface<type><slot/port>
switchportmodeaccess
switchportaccessvlan<vlan_number>
ipaccessgroup<aclname>in

AccessControlwithMAC
Cat6KIOS(configif)#macpacketclassify

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 20/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

PrivateVLANUse
PrivateVLANs(PVLANs)areaLayer2securityfeaturethatlimitsconnectivitybetweenworkstationsorserverswithina
VLAN.WithoutPVLANs,alldevicesonaLayer2VLANcancommunicatefreely.Networkingsituationsexistwhere
securitycanbeaidedbylimitingcommunicationbetweendevicesonasingleVLAN.Forexample,PVLANsareoftenused
inordertoprohibitcommunicationbetweenserversinapubliclyaccessiblesubnet.Shouldasingleserverbecome
compromised,thelackofconnectivitytootherserversduetotheapplicationofPVLANsmighthelplimitthecompromiseto
theoneserver.

TherearethreetypesofPrivateVLANs:isolatedVLANs,communityVLANs,andprimaryVLANs.Theconfigurationof
PVLANsmakesuseofprimaryandsecondaryVLANs.TheprimaryVLANcontainsallpromiscuousports,whichare
describedlater,andincludesoneormoresecondaryVLANs,whichcanbeeitherisolatedorcommunityVLANs.

vlan11
privatevlanisolated
vlan20
privatevlanprimary
privatevlanassociation11
interfaceFastEthernet1/1
description***PortinIsolatedVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2011

CommunityVLANs
vlan12
privatevlancommunity
vlan20
privatevlanprimary
privatevlanassociation12
interfaceFastEthernet1/2
description***PortinCommunityVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2012

PromiscuousPorts
SwitchportsthatareplacedintotheprimaryVLANareknownaspromiscuousports.Promiscuousportscancommunicate
withallotherportsintheprimaryandsecondaryVLANs.Routerorfirewallinterfacesarethemostcommondevicesfound
ontheseVLANs.

vlan11
privatevlanisolated
vlan12
privatevlancommunity

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 21/22
31/01/2017 CiscoIOSDevicesBestPractices|PatrickDenis

vlan20
privatevlanprimary
privatevlanassociation1112
interfaceFastEthernet1/1
description***PortinIsolatedVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2011
interfaceFastEthernet1/2
description***PortinCommunityVLAN***
switchportmodeprivatevlanhost
switchportprivatevlanhostassociation2012
interfaceFastEthernet1/12
description***PromiscuousPort***
switchportmodeprivatevlanpromiscuous
switchportprivatevlanmapping20add1112

WhenyouimplementPVLANs,itisimportanttoensurethattheLayer3configurationinplacesupportstherestrictionsthat
areimposedbyPVLANsanddoesnotallowforthePVLANconfigurationtobesubverted.Layer3filteringwithaRouter
ACLorfirewallcanpreventthesubversionofthePVLANconfiguration

Previouspost Nextpost

http://www.patrickdenis.biz/blog/hardenciscoiosdevices/ 22/22