Chapter 2. Basic Cisco Router Security

This chapter contains the following sections:

• Basic Management Security

• Access Lists

• Password Management

• Physical Security

• Out-of-Band Management Security

• Cisco Discovery Protocol (CDP)

• HTTP Configuration Services

• Simple Network Management Protocol (SNMP)

• Network Time Protocol (NTP)

• Banners

• Recommended Minimum IOS Security Settings

• TCP Intercept

• Summary

The first question any administrator should ask about a service is whether it is necessary to run that service in the present environment. If a service is not required, it should be disabled. Running a service that provides no functionality only burns up CPU cycles and exposes the network to potential attacks. If a service is required on the interior of the network, the administrator should make efforts to prevent that service from being seen from the exterior. Likewise, if a service is required on the exterior of the network, the administrator should attempt to limit the scope of the service to only the exterior portions.

Throughout this chapter, you will find several examples of services that pose potential risks of security breaches. Some of these services might be disabled by default, depending on the version of IOS being used. In these cases, the administrator is still urged to turn off the service specifically. The reason for this is to ensure that the administrator does not rely on his or her memory regarding which services are off by default on which versions of the IOS. Taking the time to turn off questionable services specifically will also make certain that the service is off even if the default changes.

As hackers, crackers, and script kiddies try new and inventive ways to break into your network, new threats will continue to emerge. One of the best ways to stay ahead of security threats is to keep current on the IOS version used on routers. Major security threats are consistently eliminated through new IOS versions. However, this does not relieve the administrator of the responsibility of using common sense and basic configurations that are sound. This chapter provides the basic configuration changes necessary to prevent your network from becoming susceptible to common attacks.

Throughout this chapter, you will be reminded that you should never intentionally divulge information regarding your network. The reason for this warning is that any information received by someone trying to breach security can and will be used against you. You should never intentionally divulge any information that does not need to be shared. Remember that the topic is security; in the realm of security, there is no such concept as being too careful.

This chapter is designed to teach the basic configurations necessary to begin securing your network. Advanced topics such as Terminal Access Controller Access Control System (TACACS), TACACS+, and Remote Access Dial-In User Service (RADIUS) authentication are explored in Chapter 10, “Securing the Corporate Network.” This chapter is limited in scope to the rudimentary commands.