secure your router without reading the whole book

Posted: July 6, 2015 in CCNP
Tags: , ,

In this tutorial we learn how to secure a router even without knowing how to configure telnet or how to enable password on routers.Even if you are new to networking and you dont have idea about how to configure your router securely, you can easily provide security to your router.There is no need to read the whole book on router just to learn how to secure it.Cisco introduced the autosecure feature to quickly harden router configuration files in an automated fashion.

Now what does this autosecure feauture actually do?

autosecure disables common router features that might pose a security while enabling other IOS features that will assist to harden the router.

auto secure

 

Once we enter the autosecure command, the router will lead you through a series of questions so it can best determine how to secure the router for your environment.

The autosecure feature of cisco ios is  an excellent  feautures for users that have limited knowledge of all the Cisco security features .  

 

Now run the auto secure command.

Router#auto secure

— AutoSecure Configuration —
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter ‘?’ for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

Securing Management plane services…

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.
Enter the security banner {Put the banner between
k and k, where k is any character}:This is satish tiwary department
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: redhat123
Confirm the enable secret: redhat123
Enter the new enable password: cisco123
Confirm the enable password: cisco123

Configuration of local user database
Enter the username: satish
Enter the password: satish123
Confirm the password: satish123

Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected:
Device not secured against ‘login attacks’.

Configure SSH server? [yes]: yes

Enter the host name: satish.com
Enter the domain-name: tiwary.com
Disabling mop on Ethernet interfaces

Securing Forwarding plane services…

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

!
service password-encryption
no cdp run
access-list 100 permit udp any any eq bootpc
banner motd his is satish tiwary departmen
enable secret 5 $1$mERr$/.1oOMouj/h0tWhPw9K6J1
enable password 7 0822455D0A16544541
username satish password 7 08324D5A000A0D464058
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
service timestamps debug datetime msec
service timestamps log datetime msec
logging trap debugging
logging console
logging buffered
line vty 0 4
transport input ssh
transport input telnet
hostname satish.com
ip domain-name tiwary.com
ip access-list extended 100
permit udp any any eq bootpc
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any

Apply this configuration to running-config? [yes]:
Applying the config generated to running-config
The name for the keys will be: test.test

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable…
*Mar 1 22:56:41.001: %SYS-3-CPUHOG: Task is running for (2007)msecs, more than
(2000)msecs (0/0),process = crypto sw pk proc.
-Traceback= 0x824198E0 0x82419FC4 0x8283C238 0x82866AD8 0x828667A8 0x82865D34 0x
828660F4 0x82866510 0x802335D4 0x80236D80 [OK]
satish.com#

 

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s