Secure IOS Template

So far, this chapter has covered the different ways to secure your router and use it as a supplement to a dedicated firewall. This section explores how to harden your router and some of the best practices available for making the router a more secure device on your network. For the sake of brevity, you will not see coverage of every single ACL and command possible to secure your router. Following are a couple reasons for this choice:

• The physical constraints of this book do not allow it, so content must be prioritized. Some items left out are specific to certain businesses in networking (ISPs, for example); most networks easily use the remaining items.

• Certain parts of the recommendations, such as TACACS and RADIUS, are covered in previous chapters, so there is no need to cover them again here.

This section is not meant to teach you how to secure your router with brief explanations so that you can decide which commands are appropriate for your network. You can apply these commands and suggestions today! There are many websites that offer all sorts of templates; however, this section discusses only a few of the options available to you. Definitely use this section as a starting point and find the templates that best match your security needs and policy.

The configuration commands in Example 8-1 are in bold text so that they stand out from the supporting comments, which are highlighted for readability. The secure template assumes the topology in Figure 8-4.

Figure 8-4 Secure IOS Template Topology

Example 8-1 Secure IOS Template

! The very first step before beginning is to ensure that your IOS is upgraded to the
latest stable version. This will ensure that any older security or operational issues
are resolved as the best that can with this simple. Remember any operating system will
have bugs and flaws, so minimizing them is definitely best practice.
!
The Nagle congestion control algorithm is something that many companies turn on to
improve the performance of their Telnet session to and from the router. When using
standard Telnet, via TCP to send keystrokes between machines; TCP tends to send one
packet for each keystroke typed. On larger networks, many small packets use up
bandwidth and contribute to congestion. John Nagle's algorithm (RFC 896) helps
alleviate the small-packet problem in TCP. In general, it works this way: The first
character typed after connection establishment is sent in a single packet, but TCP
holds any additional characters typed until the receiver acknowledges the previous
packet. Then the second, larger packet is sent and additional typed characters are
saved until the acknowledgment comes back. The effect is to accumulate characters into
larger packets (chunks) and pace them out to the network at a rate matching the round-
trip time of the given connection. Keepalives ensure that no TCP connections to the
router get hung.
!
service nagle
!
This command will disable the auto loading of configuration files from a network
server that is disabled, except on systems without NVRAM or with invalid or incomplete
information in NVRAM. In these cases, auto loading of configuration files from a
network server is enabled automatically.
!
no service config
!
Attackers will often map a network using ICMP packets with the source
route option turned on. Normal traffic does not require source route
reporting. This command will stop the router from providing that
information.
!
no ip source-route
!
Enabling the two services below allows the router to monitor TCP keepalives on
incoming connections and ensures that any sessions left hanging by remote system if it
crashes or disconnections abruptly will not block or use up the available router vty
(Telnet) ports, thereby denying legitimate connections. In a sense, you could be
locked out of the router as a denial of service.
!
!
service tcp-keepalives-in
service tcp-keepalives-out
!
By default, log messages are not time stamped or marked in anyway that would allow you
to know when they occurred. You should activate time stampings in all debug messages
and log entries down to the millisecond to ensure that you can determine the relevance
of each message and ensure that your router's clock is set properly—otherwise it will
not be very effective! The following setting will produce entries that are similar to
the following:
Sep 4 23:58:11.437: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to up
The command line options in the timestamps command are as follows:
- debug: all debug information is time stamped
- log: all log info is time stamped
- datetime: the date and time is include in the syslog message
- localtime: the local time of the router is used in the log message
show-time zone: the time zone defined on the router is included (useful if the network
crosses multiple time zones and we suggest standardizing on single time zone if this
is the case)
- msec: time accuracy to milliseconds – useful if NTP is configured.
!
service timestamps debug datetime msec show-timezone localtime
service timestamps log datetime msec show-timezone localtime
!
By default, a syslog message contains the IP Address of the interface it uses to leave
the router. You can require all syslog messages to contain the same IP Address,
regardless of the interface they use. Many large enterprise networks or ISPs use the
loopback IP Address to more clearly identify the routers in their network. This keeps
their syslogs consistent and allows them to enhance the security of their syslog
server. You can also set this interface destination to be any active interface on the
router if you do not have a loopback interface configured; however, loopbacks are
recommended as it helps you ensure each router is sending information from an address
you specify.
!
logging source-interface loopback0
!
The 'service password-encryption' command provides minimal security for user, line,
ppp, radius and assorted other passwords and keys that must be stored in the IOS
configuration file. The command causes passwords in the config file to be encrypted
with a reversible encryption that keeps people from finding your passwords by glancing
at your configurations. Note that this encryption does not provide real protection; we
recommend considering the use of the enable secret password or TACACS/RADIUS
controlled logins.
!
!
service password-encryption
!
By default, Cisco has enabled routers to now act as DHCP clients by default; this is
really not a necessary service to have running, so shut it off. Also, given the issues
with TCP and UDP small servers, make sure they are off! For example, one of the small
servers is "Chargen," which is a character generator service that is used to generate
a stream of characters for diagnostic purposes. Then there is the "echo" service that
merely echoes back every character that is sent to it. Pointing the "chargen" service
at the "echo" service creates a loop that causes an enormous amount of traffic to be
generated and will eventually overwhelm the router's CPU and RAM resources; thus, we
have the makings of a very serious denial of service attack (DoS). The easiest way to
prevent this kind of attack from happening is to disable these services on the router.
The commands to do so are "no tcp-small-servers"—disables echo, chargen, discard, and
daytime; "no udp-small-servers"—disables echo, chargen, and discard.
!
no service udp-small-servers
no service tcp-small-servers
no service dhcp
!
Not all services are bad; in fact, new entry to the service category is quite useful.
Essentially, by enabling it, your syslog entries are numbered to ensure that they are
not tampered with to hide hacking from you!
!
service sequence-numbers
hostname OSPF-Rocks
!
Logging is a must in almost every case, so turn it on! Plus, with all the logging we
are doing in this configuration, it might be a good idea to rate limit the log
messages sent per second to not overwhelm your server because the entries can climb
rapidly when you are logging ACLs!
!
logging 7.7.7.5
logging buffered 16384 debugging
logging rate-limit ?
!
When a message is sent to the console port of the router, this results in CPU
interrupt occurring in order for the log message to be delivered to the console port
and, considering the level of logging that is going on, disable console logging until
needed. Console logging is very effective when troubleshooting; you are physically
attached to the router, so keep this command ready.
!
no logging console
!

Almost all passwords and other authentication strings in Cisco IOS configuration files
are encrypted using the weak, reversible scheme used for user passwords. To determine
which scheme has been used to encrypt a specific password, check the digit preceding
the encrypted string in the configuration file. If that digit is a 7, the password has
been encrypted using the weak algorithm. If the digit is a 5, the password has been
hashed using the stronger MD5 algorithm. Even though enable secret is used for the
enable password; do not forget service password-encryption so that the remaining
passwords are stored in the configuration with type 7 encryption rather than in plain
text. Of course, the most secure password type is enable secret, so use it with some
CAPITAL letters and some Num83r2; it makes brute force attacks harder. The encryption
algorithm type 7 used in enable password and service password-encryption is
reversible. The enable secret command provides better security by storing the enable
secret password using a non-reversible cryptographic function. The added layer of
security encryption it provides is useful in environments where the password crosses
the network or is stored on a TFTP server.
!
enable secret <PASSWORD>
no enable password
!
Use TACACS+ for AAA login authentication. Ensure that the local account is case-
sensitive, thus making brute-force attacks less effective.
!
aaa new-model
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default stop-only group tacacs+
tacacs-server host 7.7.7.5
tacacs-server key OSPF-r0ck2
!
In the event that TACACS+ fails, use case-sensitive local authentication with a
username on the router so you can still access it. If TACACS+/RADIUS is not available
in your network then configure AAA to use locally (on the router) stored username and
passwords. The use of authentication keeps attackers guessing, and the router more
secure; remember, security is all about multiple layers of defense.
!
username <USERNAME> password <PASSWORD>
!
Do I really need to explain why you should not use the built-in web server? Sometimes
Cisco takes the web too far—it is a router, Jim! Let it route!
!
no ip http server
no ip https server
!

Allows us to use the low subnets and go classless, which are areas that have not
typically been used but as we run out of IPv4 addresses this is becoming more and more
important.
!
ip subnet-zero
ip classless
!
Why these services are still on by default and in IOS is anyone's guess; however, for
your sanity and the security of your network, turn them off. As Cisco's IOS has
evolved, some of these services have become turned off by default; however, it is
always considered best practice to ensure that they are turned off.
!
no service pad
no ip source-route
no service finger
no ip bootp server
no ip domain-lookup
!
TCP intercept helps prevent SYN-flooding attacks by intercepting and validating TCP
connection requests. In intercept mode, the TCP intercept software intercepts TCP
synchronization (SYN) packets from clients to servers that match an extended access
list. The router responds, and they are allowed to communicate if it is a valid
connection.
!
ip tcp intercept list 120
!
IOS watches and manages a TCP connection for 24 hours after no activity. Why? Who
knows? Regardless, it should be changed because there is no need to have a router keep
that amount of information in its memory.
!
ip tcp intercept connection-timeout 60
!
Keep half-open TCP connection attempts open only 10 seconds instead of the default 30
seconds. This will help the router defeat Denial of Service attacks since it will
close half open connections much faster.
!
ip tcp intercept watch-timeout 10
!
These commands determine when TCP intercept should deactivate or activate; in this
case, 1500 and 6000, respectively—the defaults are not very realistic at 900 and 1100.
 !
ip tcp intercept one-minute low 1500
ip tcp intercept one-minute high 6000
!
Cisco Systems has added a core dump facility to its IOS. This core dump facility
operates like many other similar systems. When a router crashes, a copy of the core
memory is kept. Before the memory is erased on reboot, the Cisco router can be set up
to copy the core dump out to a server. An account (FTP, TFTP, or RCP) and sufficient
disk space (equal to the amount of memory on the router per dump) must be set up and
allocated. Catch core dumps in case of a router crash; this is very important with a
"security router" because a denial-of-service (DOS) attack might have been successful
and crashed your router, so it is good to know what happened. We have configured our
Network Management server inside our firewall to accept FTP connections from the
router. Make sure that you give the core dump files a unique name, as shown in the
following lines. It is recommended that access to the "Cisco core dump" account be
made as secure as possible. For example, do not send core dumps to the same FTP server
as the one used to provide generic anonymous or user FTP accounts.
!
ip ftp username <FTP SERVER USERNAME>
ip ftp password <PASSWORD>
exception core-file <UNIQUE FILE NAME>
exception protocol ftp
exception dump 7.7.7.5
!
TFTP is the most common tool for uploading and downloading IOS upgrades or
configurations. The TFTP server's security is critical. That means using security
tools that only allow a TFTP connection to be successful based on the source IP
address. Cisco's IOS allows TFTP to be configured to use a specific IP interfaces
address. This allows a fixed ACL on the TFTP server based on a fixed address on the
router. This fixed IP Address is commonly the loopback interface if it is configured
as these interfaces are frequently used in managing a router. However, if you are
using loopback interfaces in your network, the interface closest to the TFTP server
should be used; the command is shown below. FTP is also included because it was
previously configured in this template.
!
ip tftp source-interface <SOURCE INTERFACE>
ip ftp source-interface <SOURCE INTERFACE>
!
CEF is an advanced, Layer 3 switching technology inside a router. It defines the
fastest method by which a Cisco router forwards packets from ingress to egress
interfaces. The ip cef command enables CEF globally, not all router support CEF so
check your docs.
!
ip cef
!
Set the time zone properly. It is best to standardize on one time zone for all routers
and servers, thus making problem tracking easier. I recommend using the time zone
where all your network management devices and servers are located so all logs, traps,
and events are in sync.
!
clock timezone GMT 0
!
NTP is the most overlooked feature on many networks. The Network Time Protocol (NTP)
is a protocol designed to time-synchronize a network of machines. It provides a
precise time base for networked workstation, servers, and other devices on the
network. NTP runs over UDP, which in turn runs over IP. An NTP network usually gets
its time from an authoritative time source, such as a radio clock or an atomic clock
attached to a timeserver. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary to synchronize
two machines to within a millisecond of one another. Many system administrators
configure time synchronization for servers but do not continue that first step to
include network devices. If you wish to compare the syslog information from devices
all over your network, you must synchronize the time on all of them. Comparing logs
from various network devices is essential for many types of troubleshooting, fault
analysis, and security incident tracking. Without precise time synchronization between
all the various logging, management, AAA and security functions, this sort of
comparison would be impossible. When activating NTP, synchronize the router's clock
with a local (trusted and authenticated) NTP server. The SECRETKEY must be the same on
both the router and the NTP server. Note that NTP is slow to get synchronized properly
in the beginning; it is a Cisco thing, so be patient!
!
ntp authentication-key 6767 md5 <SECRETKEY>
ntp authenticate
ntp update-calendar
ntp server 7.7.7.5
!
Configure the loopback0 interface as the source of our log messages. This is often
used for routing protocols also because a logical interface does not go down; thus, it
is very reliable. Assign an IP address that uniquely identifies this router. One trick
is to allocate a netblock for use as the router loopback netblock.
!
int loopback0
 ip address 10.10.10.10 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
Configure and thus activate the null0 interface as a place to send naughty packets.
This becomes the "roach motel" for packets—they can route in, but they cannot route
out.
!
interface null0
 no ip unreachables
!
interface Ethernet2/0
 description Unprotected interface, facing towards Internet
 ip address 5.5.5.254 255.255.255.0
 no ip directed-broadcast
 no ip unreachables
 no ip redirects
no ip mask-reply
no ip proxy-arp
!
Should you run CEF verify? Yes, if the data path is symmetric, but no if the data path
is asymmetric. Use the ip verify unicast reverse-path interface command on the input
interface on the router at the upstream end of the connection. This feature examines
each packet received as input on that interface. If the source IP address does not
have a route in the CEF tables that points back to the same interface on which the
packet arrived, the router drops the packet.
!
 ip verify unicast reverse-path
!
Apply our template ACL, more on what this ACL is covering later in the configuration,
but applying it is crucial to its success. The following command is how an access-list
is applied to an interface.
!
 ip access-group 2010 in
!
Rate limiting traffic to protect the router and by default your infrastructure is
extremely important. The values might be tweaked to meet your needs but, in general,
we recommend the following. Allow UDP to use no more than 2 Mb/s of the pipe; caution,
however, if you are running video on demand as it uses UDP packets.
!
 rate-limit input access-group 150 2010000 250000 250000 conform-action transmit
exceed-action drop
!
Allow ICMP to use no more than 200 Kb/s of the pipe.
!
 rate-limit input access-group 160 500000 62500 62500 conform-action transmit exceed-
action drop
!
Allow multicast to use no more than 5 Mb/s of the pipe.
!
 rate-limit input access-group 170 5000000 375000 375000 conform-action transmit
  exceed-action drop
!
Disables the sending of ICMP redirect messages to learn routes; let the hackers
wonder!
!
 no ip redirects
!
Disables the sending of ICMP protocol unreachable and host unreachable messages and,
once again there is no reason to allow ICMP to educate hackers about your network.
!
 no ip unreachables
!

Dropping IP directed broadcasts makes routers less susceptible to a denial-of-service
attack. The configuration command "no ip directed-broadcast" means that the
translation of directed broadcast to physical broadcasts is disabled. If enabled, a
broadcast to a particular network could be directed at a router interface, producing
effects that might be undesirable and potentially harmful. An example of the ill
effects of directed broadcasts being enabled is the so-called SMURF attack.
!
 no ip directed-broadcast
!
Cisco IOS Software examines IP header options on every packet. It supports the IP
header options Strict Source Route, Loose Source Route, Record Route, and time stamp,
which are defined in RFC 791. If the software finds a packet with one of these options
enabled, it performs the appropriate action. If it finds a packet with an invalid
option, it sends an ICMP Parameter Problem message to the source of the packet and
discards the packet. The IP protocol provides a provision that allows the source IP
host to specify a route through the IP network. This provision is known as source
routing, which is specified as an option in the IP header. If source routing is
specified, Cisco IOS forwards the packet according to the specified source route in
the IP header. This feature is employed when you want to force a packet to take a
certain route through the network. The default is to perform source routing. As a
general rule of thumb, if you are not using IP source routing, turn it off. IP source
routing is a well-known security vulnerability used in attacks against a system or to
bypass firewalls.
!
 no ip source-route
!
The configuration "no ip proxy-arp" means that the router does not respond to ARP
requests for other hosts on the network connected to this interface if it knows the
MAC address of those hosts. Again, this is to prevent undesirable effects on the
connected network and potential security problems. In other words, do not have the
router pretend to be something its not.
!
 no ip proxy-arp
!
Disables the sending of ICMP mask reply messages. The default for Cisco routers is not
to do this, but it never hurts to input the command anyway just to be sure.
!
 no ip mask-reply
!
Enables IP accounting with the ability to identify IP traffic that fails IP access
lists, thereby allowing your router to log all naughty business. Be sure to check it.
!
 ip accounting access-violations
!
If you allow multicast in your network or participate in the MBONE, the following
multicast filtering steps help to ensure a secure multicast environment. These must be
applied per interface.
!
 ip multicast boundary 30
!
Keep flow data for analysis. If possible, export it to a cflowd server.
!
 ip route-cache flow
!
interface Ethernet2/1
 description Protected interface, facing towards DMZ
 ip address 6.6.6.254 255.255.255.0
!
Do we run unicast verify? Yes, if the data path is symmetric. No, if the data path is
asymmetric. See above interface description for more information on this command.
!
 ip verify unicast reverse-path
!
The following commands have been described previously; for additional information,
refer to earlier in the configuration file.
!
 no ip redirects
 no ip unreachables
 no ip directed-broadcast
 no ip proxy-arp
 ip accounting access-violations
 ip multicast boundary 30
 no ip mask-reply
 ip route-cache flow
!
Source routing allows the path to be specified in a packet. This could allow the
packet to bypass firewalls and so on. Disable this feature!
!
 no ip source-route
!
This is a default route to the Internet (could be a routing protocol instead) and if
you choose a routing protocol, OSPF is highly recommended.
!
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
Route to network on the other side of the firewall.
!
ip route 7.7.7.0 255.255.255.0 6.6.6.1
!
The following static routes will black hole networks that are not supposed to be
routable on the public Internet. Be very careful about enabling these when running TCP
Intercept. The TCP Intercept command directs the router to act as a TCP socket proxy.
When the router receives the SYN packet, the router (instead of the destination)
initially responds with the SYN|ACK. This is where the interaction between TCP
Intercept and black hole routes causes a problem. If you create black hole routes for
all bogon ranges and point them to the null device, and if someone launches a SYN
flood from a bogon range, the router sends the SYN|ACK to the null device. The router
is not (yet) intelligent enough to realize that it has done this, and the TCP
Intercept queue begins to build quickly. By default, the timeouts are not aggressive
enough to work through this problem.
!
Cisco has introduced an on device command archive command. When enabled, these sets of
commands will record every configuration change made on the router and in the example
that follows, report it to a syslog server provided one is configured in the logging
section. This command is especially useful when coupled with AAA or TACACS as it will
also record what user made the change. This is a great way to do internal auditing and
can be a wonderful education tool for new engineers. Plus if you configured your
syslog server to alert on configuration changes you can know and "see" what is
happening. For example, should someone really be changing things outside of a
maintenance window?
!
archive
 log config
 logging enable
 notify syslog
 hidekeys
!
Cisco routers can now run specialized scripts utilizing the TCL
programming language. These scripts can be very powerful and allow
for the automation of a variety of tasks and jobs; however, like any
tool they can be abused so turn this feature off if not in use.
!
no scripting tcl init
no scripting tcl encdir
!
Export NetFlow data to our NetFlow server, 7.7.7.5. NetFlow provides
some statistics that can be useful when tracing back to the true
source of a spoofed attack. We also use the source as the loopback
interface, which is a best practice.
!
ip flow-export source loopback0
ip flow-export destination 7.7.7.5 2055
ip flow-export version 5 origin-as
!
Log anything interesting to the syslog server. Capture all the logging output sent
from the loopback interface; this makes the ID of this router in the various places
recording data easy and uniform to identify.
!
logging trap debugging
logging source-interface loopback0
logging 7.7.7.5
!
Do not share Cisco Discovery Protocol (CDP) information from your secure router
because CDP contains crucial bits of information about your network topology, device
configuration, network devices that are in use, IP addresses, and so on. This command
disabled CDP globally. If you require CDP on an interface, use cdp run and disable cdp
(not cdp enable) on the Internet-facing interface. In other words, use CDP only on
interfaces where it is needed—never globally. Note that Cisco ships all devices with
CDP enabled by default starting with IOS 11.1CA.
!
no cdp run
!
SNMP is very important for network management, particularly in conjunction with MRTG
to track usage statistics. To keep SNMP access even more secure, treat the COMMUNITY
string as a password; keep it difficult to guess by using a combination of CAPS,
lowercase, and numbers. Ultimately a SNMP community string is the password for SNMP
Services so the string should follow your corporate password policy. This is important
because the community string is not encrypted. Then, further protect access by
including an access control list (ACL) that determines what network/hosts can access
SNMP, only if they have the proper community string. Now that is a real layered
security approach!

If SNMP is going to be used in read/write mode, think very carefully about the
configuration and why there is a requirement to do this because configuration errors
in this scenario could leave the router very vulnerable. I have developed and seen
tools that, through the use of SNMP Read/Write, can automatically reset password and
alter configurations. There are very few good reasons to allow read/write access to a
device via SNMP, read only is best practice!
!
If possible, put an ACL at the edge of your network to prevent potential attackers
from probing your network via SNMP. There are many publicly and commercially available
tools that will scan any network on the Internet via SNMP. This could map out your
entire network and/or discover a device that has had SNMP left open. When performing
security audits and vulnerability assessments, I have done an SNMP Walk on devices and
learned a great deal about a person's network.
!
snmp-server community <COMMUNITY> RO 20
snmp-server location Tampa, FL
snmp-server contact Cyberwraith Consulting [[email protected]]
snmp-server host 192.168.254.70 <COMMUNITY_STRING>
!
In the configuration, this ACL would appear at a different location; however, for
completeness, I have moved it here for easy reference. Access list 20 permits SNMP
access to this device if the requests come from the server (IP Address: 7.7.7.5) and
by default if access is not permitted and is then denied when using Cisco ACLs. Notice
that I entered the normally implicit deny any command because I have added the log
keyword at the end. The inclusion of this deny keyword has the router log denied all
SNMP query attempts to our syslog server allowing us to see who might be trying to
access our routers.
!
access-list 20 remark ACL TO CONTROL SNMP ACCESS
access-list 20 permit 7.7.7.5
access-list 20 deny any log
!
Protect and set expectations with an appropriately stern banner that reflects the
level of security and monitoring applied to your network. It is also important to set
everyone's expectations accessing the router and what happens if attacks are made
against it. Although we are just showing the Message of the Day (MOTD) Banner, you
could apply the same banner to the console port, aux port, AAA Login, and whenever a
user accesses EXEC mode.
!
banner motd %
Warning!!! This system is solely for the use of authorized users and only for official
purposes. Users must have express written permission to access this system. You have
no expectation of privacy in its use and to ensure that the system is functioning
properly, individuals using this system are subject to having their activities
monitored and recorded at all times. Use of this system evidences an express consent
to such monitoring and agreement that if such monitoring reveals evidence of possible
abuse or criminal activity the results of such monitoring will be supplied to the
appropriate officials to be prosecuted to the fullest extent of both civil and
criminal law.

Unauthorized Access to this system is a violation of Federal Electronic Communications
Privacy Act of 1986, and may result in fines of $250,000 and/or imprisonment (Title
18, USC). All IP traffic is logged and violators will be prosecuted.
%
!
Another type of banner available is the "exec" banner, which is displayed at the time
a user has successfully authenticated and logged in when they enter exec mode on the
router. Exec mode is analogous to super user (UNIX) or administrator (Windows).
!
banner exec ^
Please note that this device is part of a production network and all configuration
changes need to be approved in advance. All changes should be recorded and the
configuration backed up before you make changes.
^
!
Apply a password to the console port of a router. Requiring a password on the physical
console port provides another layer of security by requiring anyone plugging into the
device to supply a password. Including the transport input disables reverse Telnet and
protects the physical ports against access.
The connection timeout value for Console and AUX ports on a router is 10 minutes. This
timeout is controlled by the exec-timeout command, as shown in the configuration
below. VTY (Telnet) sessions do not have an associated timeout value. Leaving the VTY
timeout unchanged is generally regarded as bad practice because it will hog the few
available ports on the router and could cause maintenance access problems in the time
of emergencies. Notice that setting the idle timeout to 0 means that the session is
left connected indefinitely.
!
line con 0
 exec-timeout 15 0
 transport input none
line aux 0
 exec-timeout 15 0
 transport input none
!
Apply an access control list (ACL) to the VTY (Telnet) ports that define which
systems, by source IP address, can attempt to access this router via Telnet. Most IOS
versions support only five VTY ports; this means that when you look in the
configuration and see "line VTY 0 4," there can be a maximum of five Telnet
connections if you count 0 as a line (0, 1, 2, 3, 4). In the following example, we are
configuring a group of VTY lines (0-3) to all have the same operating parameters. The
access list is then applied to the VTY ports through the access-class command as shown
below. The command logging synchronous is an all time favorite of mine; it preserves
what you have been typing when the router begins reporting information which by
default the router tacks on the information to the line you're typing on causing you
to completely lose track of what has been done so far. The logging synchronous command
lets the router give you the output like normally but not on the line you are typing
on!
!
line vty 0 3
 access-class 100 in
 exec-timeout 15 0
 logging synchronous
 transport input telnet ssh
!
Notice in the preceding configuration lines the use of telnet and SSH as a means to
access the VTY lines. Best practice is to only use SSH; however, the IOS version you
are running might not allow that. Whenever possible use SSH and not telnet, which
would mean the keyword telnet would not be included in the preceding statement.
Remember to remove it!
!
The definition of this access list is important to understand and would normally
appear much earlier in the configuration; however, for ease of understanding, I have
moved it to the relevant section. access control list 100 will deny everyone access to
the router and permit connection attempts from the Network Management server (7.7.7.5)
or the firewall (6.6.6.1); only if SSH (port 22) or Telnet (port 23) is used, we log
every successful access and this allows us to monitor who is connecting, when, and
how. Of course, we also log any denied access attempts to learn the same information.
This also serves to create an audit trail of all access to the router through the use
of extended ACLs to log some additional data.
!
access-list 100 remark DEFINE TELNET ACCESS TO THE ROUTER
access-list 100 permit tcp host 7.7.7.5 host 0.0.0.0 range 22 23 log-input
access-list 100 permit tcp host 6.6.6.1 host 0.0.0.0 range 22 23 log-input
access-list 100 deny ip any any log-input
!
Whenever possible, enable SSH connectivity because SSH is much more secure than
Telnet. Obviously, you must have an IOS image that supports SSH, and do not forget to
generate the key with the crypto key generate RSA command.
!
Leave one VTY safe (line #4) for emergency access, just in case. The host 7.7.7.8 is a
secure host in your network management operations center. If all the VTYs are
occupied, this leaves one VTY available and logging is also happening.
!
line vty 4
 access-class 105 in
 exec-timeout 15 0
 logging synchronous
 transport input telnet ssh
!
NOTE: You can also use AAA during the login process as well and if it is configured
properly, you should!
!
access-list 105 remark VTY Access ACL
access-list 105 permit tcp host 7.7.7.8 host 0.0.0.0 range 22 23 log-input
access-list 105 deny ip any log-input
!

Although this section covers how to configure a router virtually and how it operates, do not forget about the physical security of your routers. Physical access to network devices usually allows unprecedented levels of control to tap the link, block, jam, inject traffic, and so forth. It makes no sense to install complicated security measures when access to the hardware is not equally secure.