Routers
The following steps outline the generic process for strengthening security on Cisco routers:
| Step 1. | Shut down all unneeded servers and services.For small services (for example, Echo, discard, chargen), issue the following commands:
no service tcp-small-servers
no service udp-small-servers
For BOOTP, Finger, HTTP, DNS, Source Routing, and CDP, issue the following commands:
no ip boot server
no service finger
no ip http server
no ip domain-lookup
no ip source-route
no cdp run
|
| Step 2. | Secure passwords and access lines. Enable AAA and restrict access to the router.Turn password encryption on and set passwords with the following commands:
service password-encryption
enable secret secret-password
no enable password
Generate RSA keys to enable SSH access as follows. This requires the router to support encryption.
crypto key generate rsa
Enable security on the console line by issuing the following commands:
line con 0
exec-timeout 5 0
login authentication default
Enable security on the auxiliary line by issuing the following commands:
line aux 0
no exec
transport input none
Enable security on the VTY lines by issuing the following commands:
line vty 0 4
access-class 10 in
login authentication default
password
exec-timeout 5 0
login
transport input ssh
Enable AAA by issuing the following commands:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
tacacs-server host tacacs-server-address
tacacs-server key key
Use the following commands to apply an access list to the VTY lines to permit management host access:
access-list 10 permit host management-host-address
access-list 10 deny any log
|
| Step 3. | Turn on the router's logging and SNMP capability with the following:
service timestamp log datetime localtime msec
logging syslog-server-address
logging buffered
SNMP is enabled by issuing the following command:
snmp-server community community-string RO 20
Apply an ACL to SNMP to permit management host access by using the following commands:
access-list 20 permit management-host-address
access-list 20 deny any log
|
| Step 4. | Enable and secure NTP with the following:
ntp authenticate
ntp authentication-key 1 md5 ntp-key
ntp trusted-key 1
ntp access-group peer 30
ntp server ntp-server-address key 1
NTP access control is applied by the use of the following commands:
access-list 30 permit host ntp-server-address
access-list 30 deny any log
|
| Step 5. | Enable the use of a banner message:
banner motd #Banner-Message-Text
#
|
Example B-1 shows a typical banner message.Example B-1. Sample Banner Message
banner-motd #
***********************************************************************
NOTICE TO USERS
This system is for the use of authorized users only.
All individuals using this system may have their use of the system
monitored and recorded (including all information which they reveal
during such use) to allow the detection of unauthorised use of the
system.
If monitoring reveals evidence of unauthorized use of the system, all
records obtained from monitoring may be passed to the relevant law
enforcement authorities and used in internal investigations.
Anyone accessing this system expressly consents to such monitoring,
recording, and disclosure taking place.
#
لطفا منتظر باشید ...
