This book consists of 11 chapters and 5 appendixes. At the end of most chapters is a checklist summarizing the hardening techniques described in that chapter. Appendix A provides a complete hardening checklist made up of the chapter checklists. The book is designed to be read either straight through for those new to router security, or a chapter at a time for those interested in specific topics. I recommend, however, that before reading the book, you review the checklist provided in Appendix A. This checklist will give you a good feel for the information covered in each chapter and familiarize you with the scope of the book. Here is a brief description of what each chapter and appendix covers.

Chapter 1 addresses the importance of router security and where routers fit into an overall information security plan. Additionally, this chapter discusses which routers are the most important to secure and how secure routers are necessary (and often overlooked) parts of both firewall design and the overall information security strategy of a company.

Chapter 2 discusses security issues involving the router IOS software. It outlines current IOS revisions, shows how to determine current IOS versions, and details the importance of running a current IOS.

Chapter 3 discusses the standard ways to access a Cisco router, the security implications of each of these methods, and how to secure basic Cisco router access. These methods include console, VTY, AUX, and HTTP access controls.

Chapter 4 discusses the three ways that Cisco routers store passwords and the security implications of each method. This chapter continues to discuss the router’s default security levels and shows how to modify these levels to increase the security and accountability on your routers.

Chapter 5 discusses how to use the advanced AAA authentication and authorization configuration for Cisco routers. It also shows how to use a network access server running RADIUS or TACACS+ to control these services on the router.

Chapter 6 discusses the importance of having warning banners on routers. This chapter not only talks about the need to have banners, but also presents legal dos and don’ts for security banners. Finally, the chapter provides an example recommended banner to use on Cisco routers.

Chapter 7 discusses the unnecessary services that are commonly run on Cisco routers. Many of these services are enabled by default, and this chapter explains why services such as HTTP, finger, CDP, echo, and chargen are dangerous and details how to turn them off.

Chapter 8 demonstrates how to disable SNMP or configure it securely. It presents the differences between SNMP Versions 1, 2, and 3; talks about read-only versus read-write access; and shows how to use access lists to limit SNMP access to only a few specific machines.

Chapter 9 discusses routing protocol security. Specifically, it discusses how to add security to RIP, OSPF, EIGRP, and BGP. These routing protocols allow authentication to prevent fake routing updates. The chapter also presents the importance of antispoofing filters and how to perform ingress and egress filtering using CLs on older routers and Cisco’s RPF and CEF antispoofing mechanisms on newer ones.

Chapter 10 discusses NTP and how to use it to make sure all routers have the exact same time. This chapter discusses the importance of having the time on all your routers and logging servers synchronized and provides examples of how to configure a Cisco router to use NTP time services.

Chapter 11 discusses how Cisco routers perform logging and why logging is important. The chapter then demonstrates why and how to manipulate logging buffers, how to configure routers to use syslog, and when to do ACL violation logging.

Appendix A allows you to secure your Cisco routers and verify that important security issues have been addressed. The checklist is presented in a manner that makes it easy to quickly refer back to the chapter addressing the items outlined in the checklist reference. Finally, this appendix briefly talks about using the checklist to harden and audit Cisco routers.

Appendix B talks about the importance of physically securing your routers. It presents common physical vulnerabilities and discusses how to overcome them.

Appendix C gets you thinking about how to react when a break-in is discovered. The goal of this chapter is not to provide an exhaustive explanation of incident response, but to provide emergency guidelines that you can follow when an incident occurs.

Appendix D provides common Cisco router configuration examples that combine the examples throughout the book.

Appendix E provides a list of resources that you might find useful if you need to brush up on ACLs, network access protocols such as TACACS or RADIUS, and services such as SNMP or syslog.

This book assumes you are already familiar with configuring, administering, and troubleshooting Cisco routers. A CCNA should be comfortable with the contents of each chapter. A CCNP or above will probably want to first turn to the checklist provided in Appendix A. To get the most out of this book, you should be familiar with:

The following formatting conventions are used throughout this book:

Please address comments and questions concerning this book to the publisher:

There is a web site for this book, which lists errata, examples, or any additional information. You can access this page at:

To comment or ask technical questions about this book, send email to:

For more information about books, conferences, resource centers, and the O’Reilly Network, see the O’Reilly web site at:

First, always, is my wife Abigail Akin. Neither of us knew how hard this would be, but it was her encouragement (and occasional kick in the pants) that gave me the courage and discipline to write and finish this book. Honey, this first book is for you.

Second, for his near infinite patience, is Jim Sumser, my editor. It was Jim who took a chance on an unknown author. He pushed me when I needed it and always had a word of praise to keep me on track just when I was about to throw my computer out the window.

My technical reviewers gave invaluable input: Ian J. Brown, CCIE #3372, Mark Jackson, CCIE #4736, and Elsa Lankford. Ian and Mark kept me towing the line technically, while Elsa kept me from getting bogged down in details, missing the forest for the trees. Ian and Mark, the configuration examples in Appendix D are for you, and, Elsa, the resources in Appendix E are yours.

Also, my friends in law enforcement: thanks to Steve Edwards from the Georgia Bureau of Investigation and Cassandra Schansman, Georgia’s Assistant Attorney General, for both their support and review of Appendix C. Thanks to Patrick Gray from the FBI’s Atlanta Computer Crimes Squad for providing the warning banner in Chapter 6.

Next, Jeff Crabtree, my former boss and long-time friend. He gave me my start in information technology and has supported me, many times at his own expense, for almost a decade. I owe you and Lisa some serious margaritas.

Finally, the two people who have taught me that integrity and love are the most important parts of being successful—my father Morgan Akin and my mother Cathy Coulmas.