How to effectively reinforce Cisco routers and switches

Cisco, as a leader in the routing industry, has a high demand for its products in the market. Here we will explain how to effectively reinforce the security of Cisco routers. According to the barrel theory, how much water a bucket can hold depends on the shortest piece of wood in the bucket. The same is true for information system security. The security level of the entire information system depends on the weakest link in the information system. The importance of the network as the body of the information system is obvious.

Security at the network layer includes two main aspects: Data-level security, using technical means such as ACL to assist the application system in enhancing the overall security of the system; and control-level security, enhance the security of network devices by limiting access to network devices.

I. Main security threat Association and response principles at the control level

The control layer of network devices is actually an operating system. Since it is an operating system, other operating systems may encounter security threats; to sum up, there are the following aspects:

1. Defects of the system: as a complex system, no matter how carefully tested before release, there will always be defects. The only solution after a defect occurs is to patch the system as soon as possible. The difference between Cisco IOS/Catos and other general operating systems is that IOS/Catos needs to replace the entire system with a patched system.

2. system default services: Like most operating systems, IOS and CatOS enable a large number of services by default, which may cause potential security risks, the solution is to disable unnecessary services based on the principle of least privilege.

3. weak passwords and Plaintext Passwords: in IOS, strong encryption of privileged passwords includes weak encryption, while general access passwords are in plaintext by default;
 
4. Unauthorized users can manage devices. You can use telnet or snmp to manage devices in-band through the network, or use the console or aux port to manage devices out-of-band. By default, out-of-band management has no password restrictions. Hidden large security risks;

5. CDP protocol causes device information leakage;

6. Due to DDOS attacks, the device cannot run normally. Solution: use the control plane policy to limit the traffic to the control plane;

7. Default audit function when security risks occur.

Ii. Cisco router IOS reinforcement

For IOS versions later than 12.3 (4) T, you can use the autosecure command to complete most of the following functions. Considering that most users have no conditions to upgrade to this IOS version, the command lines to be used are still listed here:

1. How to disable unwanted services on a Cisco router:
No ip http server
No ip source-route // Disable IP source routing to prevent route spoofing
No service finger // disable the finger service
No ip bootp server // disable the bootp service
No service udp-small-s // small udp service
No service tcp-small-s // disable small tcp services

2. How to disable CDP on a Cisco router:
No cdp run // disable cdp

3. Configure strong encryption and enable password encryption for the Cisco router:
Service password-encryption
Enable secret asdfajkls // configure the strong encryption privilege Password
No enable password // disable the privileged password of weak encryption

4. The Cisco router configures log server, time service, and ACL for in-band management to facilitate security audit:
Service timestamp log datetime localtime
Logging 192.168.0.1 // send a log to 192.168.0.1
Logging 192.168.0.2 // send a log to 192.168.0.2
Access-list 98 hosts for communication
No access-list 99 // clear the acl before configuring a new ACL
Access-list 99 permit 192.168.0.0 0.0.255
Access-list 99 deny any log
No access-list 98
Access-list 98 permit host 192.168.0.1
Access-list 98 deny any log
Clock timezone PST-8 // sets the time zone
Ntp authenticate // enable NTP Authentication
Ntp authentication-key 1 md5 uadsf
Ntp trusted-key 1 // Key that can be trusted.
Ntp acess-group peer 98 // sets the ntp service and only allows the peer to be a host that meets the access-list 98 conditions.
Ntp server 192.168.0.1 key 1

5. Restrict in-band Management Behaviors:
Snmp-server community HSDxdf ro 98
Line vty 0 4
Access-class 99 in
Login
Password 0 asdfaksdlf // configure the telnet password
Exec-timeout 2 0 // configure the virtual terminal timeout parameter, which is 2 minutes
 
6. Restrict out-of-band Management Behaviors:
Line con 0
Login
Password 0 adsfoii // configure the password of the console Port
Exec-timeout 2 0 // configure the console port timeout parameter, which is two minutes
Line aux 0
Transport input none
Password 0 asfdkalsfj
No exec
Exit

Iii. Cisco router CatOS reinforcement

1. disable unnecessary services:
Set cdp disable // disable cdp
Set ip http disable

2. Configure the time and log parameters to facilitate security audit:
Set logging timestamp enable // enable log timestamp
Set logging server 192.168.0.1 // send log to 192.168.0.1
Set logging server 192.168.0.2 // send a log to 192.168.0.2!
Set timezone PST-8 // set the time zone
Set ntp authenticate enable // enable NTP Authentication
Set ntp key 1 md5 uadsf
Set ntp server 192.168.0.1 key 1
Set ntp client enable // enable ntp client

3. Restricted in-band management:
Set snmp community HSDxdf // Configure snmp read-only communication characters
Set ip permit enable snmp // enable snmp access control
Set ip permit 192.168.0.1 snmp
Set ip permit enable telnet
Set ip permit 192.168.0.1 telnet
Set password // configure the telnet password
Set enable // configure the privileged Password
Set logout 2