Border Router Security Tool Help File
This help file explains services, protocols, recommended settings and items you may need help with more thoroughly.
For more information, consult the NSA's Router Security Configuration Guide, or Cisco's Guide to Harden Cisco IOS Devices
Index of Cisco commands and help items covered in this help file.Global router commands (disable)
network boot
cdp
config
dhcp
pad
finger
gratuitous_arps
http server
http secure-server
name-server
ip source-route
lldp
tcp-small-servers
udp-small-servers
Interface specific commands (disable)
cdp
ip directed-broadcast
ip redirect
ip proxy-arp
ip mask-reply
ip unreachables
mop
ntp
loopback interface
null interface
Global router commands (enable)
ip cef
ntp receive
password-encryption
tcp-keepalives-in
tcp-keepalives-out
ssh timeout
ssh authentication retries
Access control
aux port
console port
vty ports
How to generate a crypto key
Here are the steps to generate a crypto key on your router:
! RSA Cryptography Key Generation Instructions for the crst
! The following commands must be entered at the enable prompt to
! configure a domain name and to generate a crypto-key:
!
configure terminal
!
!
hostname RouterOne
! Replace mydomain.com with your domain name.
!
ip domain-name mydomain.com
crypto key generate rsa
!
! (You will see the following output on the router).
! The name for the keys will be: RouterOne
! Choose the size of the key modulus in the range of 360 to 2048 for your
! General Purpose Keys. Choosing a key modulus greater than 512 may take
! a few minutes.
! 1024 or higher is recommended if it is legal for use in your jurisdiction.)
!
! (Note: you will have to input a number here.
! How many bits in the modulus [512]: 1024
!
! Generating RSA keys ...
! [OK]
Troubleshooting some common problems
Garbage When Copying Configuration To Router
Most likely cause; Characters entering Console port too quickly
Solution; Enter a transmit delay of 5 msec per character and 5msec per line.
In TeraTerm, go to Setup, then Serial Port in the menu. In Transmit Delay at the bottom of the Serial Port Setup window, enter the delay.
Commands Not Taken By Router
Most likely cause; The hardware or software version you are running may not support the commands the BRST generated.
Solution; Some commands such as those related to MOP, Archiving, or lldp can be safely ignored. Others may have to be looked into more deeply. You can use the Cisco Command Lookup Tool when in doubt. You will have to create a Cisco login to use it.
Traffic Will Not Pass After BRST Config Copied
Standard router troubleshooting applies. Ping steadily outward until you find something you cannot reach. Check default route. Check Router Logs for denials. Check that interfaces are connected and up.
Look over the log you captured when you pasted the BRST configuration into the router for errors. Try to fix those.
If you cannot find the problem and have to bring the router back online, do a write-erase, reload, and copy the original configration back into the router until you find the problem or have more time to work on it.
Description of Services and Protocols and Recommended Settings
Global Router Commands (to be disabled)
Network Boot (service boot network)Routers with network boot enabled will search for boot files on the network during boot.
This is rarely used, but could permit methods of attack.
Disabling is recommended.
Cisco Discovery Protocol sends and receives information about the reporting device
and receives information about other Cisco devices.
Cdp should not be used on border routers and should not be needed internally.
Disabling is recommended.
A router with Configuration Auto-loading enabled will attempt to load its configuration
file from a TFTP server. An attacker may be able to have a malicious configuration loaded.
Disabling is recommended.
Dhcp provides Internet Protocol (IP) addresses to hosts that request them.
On corporate networks this is usually handled by a dedicated server, not by a router.
Disabling is recommended.
Pad Service is used for some older Wide Area Networking (WAN) connections.
If not configured for your WAN, it should be explicitly turned off.
Disabling is recommended.
The IP Finger service can tell requesters who is logged into a router.
This information can be accessed in other ways by authorized users.
Disabling is recommended.
A router can send Address Resolution Protocol (ARP) requests on behalf of another device.
These requests are called gratuitous arps. This functionality should not be needed on a
correctly configured network, and could be a vector for attack.
Disabling is recommended.
The Hypertext Transfer Protocol (HTTP) Server service makes the router into a web server
allowing web administration of the router. Routers configured by command line do not need this.
Disabling is recommended.
The Hypertext Transfer Protocol (HTTP) Secure Server service makes the router into an encryption
capable web server allowing more secure web administration of the router than http server. Routers
configured by command line do not need this.
Disabling is recommended.
Enabling ip name-server on a router lets the router resolve Domain Name System (DNS) names.
Routers should rarely have to resolve names on a corporate network. Most have dedicated DNS servers
for name resolution. An enabled ip name-server service on a router can be an avenue for attack.
Disabling is recommended.
Source Routing enables a sender to specify the path that should be used for return packets. It is
rarely used in production environments but can be very useful to attackers. They can receive
normally unroutable or "spoofed" packets back providing valuable information.
Disabling is recommended.
Link Layer Discovery Protocol (lldp) is similar to Cisco Discovery Protocol (cdp) but is an open
standard. Institute of Electrical and Electronics Engineers (IEEE) standard 802.1AB details the
specification. Lldp should not be needed and should definitely be disabled on edge routers.
Lldp has not been incorporated into Cisco IOS as of the date of this writing. If not available
on your router, running the command results in a harmless error.
Disabling is recommended.
TCP and UDP Small-Servers enables a suite of services such as echo, chargen, daytime, and more.
These services should not be needed for normal operation but could provide an attacker with
information about your router or your network.
Disabling is recommended.
TCP and UDP Small-Servers enables a suite of services such as echo, chargen, daytime, and more.
These services should not be needed for normal operation but could provide an attacker with
information about your router or your network.
Disabling is recommended.
Interface Specific Commands (to be disabled)
Cisco Discovery Protocol (service cdp)Cisco Discovery Protocol sends and receives information about the reporting device
and receives information about other Cisco devices.
Cdp should not be used on border routers and should not be needed internally.
Although this command is not needed if cdp has been disabled globally, adding it
to the interfaces does no harm.
Disabling is recommended.
IP Directed Broadcast lets a host on one Local Area Network (LAN) segment
This feature should not be needed and can be used for attacks if enabled.
Disabling is recommended.
IP Redirect causes the router to send redirect messages when prompted.
An attacker can use this feature to gain information about your network
and for some forms of attack.
Disabling is recommended.
IP Proxy-arp permits the router to send Address Resolution Protocol (arp)
requests on behalf of a host on another network. Proxy-arp can give an
attacker information and could be used in some attacks.
Disabling is recommended.
IP Mask-reply causes the router to provide the network mask of networks
it is aware of. An attacker can use this in mapping the networks and
determining potential host addresses to conduct further reconnaissance on.
Disabling is recommended.
IP Unreachables are generated on the router for networks that it cannot
route to. Through process of elimination, this information can be used to
map a network. Networks that do not return unreachables are known and may
be configured on the router. They at least exist in its routing tables.
Disabling is recommended.
Maintenance Operations Protocol is a DECNet protocol that is not needed
on most networks. Any unneded protocols should be disabled to reduce possible
attack vectors.
Disabling is recommended.
Network Time Protocol (ntp) should be configured on the router, but should
only be enabled on and configured on the loopback interface. It should be
disabled on all other interfaces.
Disabling is recommended.
A Loopback Interface is a virtual interface that is not associated with a
physical network connection. Protocols like Secure Shell (SSH) and Network
Time Protocol can be bound to the loopback interface so they are not handled
by interfaces associated with physical ports and actual networks.
Creation of a loopback interface is recommended.
A Null Interface routes all traffic to a virtual location within the router
where all packets are dropped. Routing unwanted traffic to the null interface,
also known as "null routing" or "black hole routing" is a very efficient method
of getting rid of traffic that is unwanted or is most likely spoofed.
Creation of a Null Interface and routing spoofed traffic to it is recommended.
The Auxilliary (aux) Port provides a means of physically connecting to the
router via a serial cable. Local administration of the router is usually done
using the console port. Disabling the aux port is recommended unless it is
connected to a modem for out of band access. If connected to a modem, both the
modem and the aux port must be configured securely.
Disabling the aux port is recommended.
The Console Port is used to connect to the router locally. A console cable
is connected from the router's console port to a serial port on a computer.
Once connected, the user brings up terminal emulation software like TeraTerm,
Hyperterm, or Putty. The console port permits sensitive operations like
password revcovery, so it must be configured securely.
Secure configuration of the console port is recommended.
Virtual Terminal (vty) Ports permit connection over the network. Since they
are accessible from anywhere using insecure protocols unless properly configured,
they pose a great risk. Access to them should be restricted to secure protocols
such as Secure Shell (ssh) and only trusted IP addresses should be permitted.
An Access Control List (acl) is used to restrict access to trusted IP addresses.
Secure configuration of the vty ports is recommended.
Global router commands (to be enabled)
ip cef
Cisco Express Forwarding (cef) in and of itself does not do much security wise.
It can make the processing of through traffic faster. Cef uses its own Forwarding
Information Base (fib) to switch packets through the router. This is faster than
the default switching method, fast-switching.
Enabling cef is recommended.
Receiving time via Network Time Protocol (ntp) means that the log files generated
by the router will have accurate timestamps. Timestamp accuracy of log files is
crucial to tracking attacks or attempted attacks. The earlier commands disabling ntp
on interfaces means the router will not serve as an ntp server. A primary and backup
ntp server should be configured for redundancy.
Enabling ntp reception is recommended.
Password encryption is better than leaving configured passwords clear text, but it
is NOT secure. Small, free programs such as Boson's GetPass can be used to decipher
passwords encrypted in this way. Even if you have password-encryption enabled,
remember to protect your router configuration files.
Enabling service password-encryption is recommended.
TCP Keepalives let the router calculate how long a TCP session has been connected
and permit tracking of "idle time" or time that no user action has occured for a
given connection.
Enabling tcp-keepalives in and out is recommended.
TCP Keepalives let the router calculate how long a TCP session has been connected
and permit tracking of "idle time" or time that no user action has occured for a
given connection.
Enabling tcp-keepalives in and out is recommended.
If tcp-keepalives-in are enabled, idle SSH sessions can be logged of after a
pre-set time. The crst shuts down idle sessions after 20 minutes of inactivity.
This reduces the chance that someone can walk up to a computer with a session
connected and make changes.
Enabling ssh timeout is recommended.
SSH authentication retries (attempts where a bad username or password has been
entered) can be limited to thwart brute force password cracking attempts. The
crst sets the number of attempts before lockout to three.
Limiting ssh authentication retries is recommended.
Access control
aux port ConfigurationThe Auxilliary Port (aux port) presents an unneeded risk and should be disabled.
If it us used for remote access, it should be secured.
Disabling the aux port is recommended.
The console port is often used for local administration. It should be secured by requiring
default login (aaa), and should have transport output none.
Securing consloe port is recommended.
Virtual Terminal or vty ports are used for remote access and should be secured as tightly as
practical. Only a very limited number of IP Addresses should be allowed to access them, and only
using secure protocols when possible.
Securing vty ports is recommended.
