packetlevel.ch

IOS Securiy Template

IOS Security Templates are usefull, if you need to setup one and more router with the same Sceurity Setup, and if you have one template, you can not forgot a importat setting.
with the ios command "auto secure" (as far as i know, since version Cisco IOS Software Major Release 12.3), you can setup single router more secure. The Command ask you some questions, and after this, it generats a config file, that sets the basic security.

 
your-router#auto secure ?
  firewall     AutoSecure Firewall
  forwarding   Secure Forwarding Plane
  full         Interactive full session of AutoSecure
  login        AutoSecure Login
  management   Secure Management Plane
  no-interact  Non-interactive session of AutoSecure
  ntp          AutoSecure NTP
  ssh          AutoSecure SSH

for more infomation go to Cisco Homepage The generated config is a good base, for your fine tunning

But if you have to setup more than one router, it's better to use a template, because you can enter the Syslog Server, tacas with your specific settings, based on youre enviroment.

i found a very usefull iso security tenmplate on www.team-cymru.org

You can download it from there Website or you find a version here
And here are my templates:

ios_secure.txt for a single Router (Version 0.6) ios_short.txt for a basic security

Security Commands

Here are some Command lines, for securing a Cicso Router or Switch
This are unsortet, but its easy to cut and paste in your config.
Private Ranges
Deny private ranges to enter your network (and leave it):

      interface xx (outer/inner)
       access-group in 100
       access-group out 100

      access-list 100 deny ip host 0.0.0.0 any
      access-list 100 deny ip 127.0.0.0 0.255.255.255 any
      access-list 100 deny ip 10.0.0.0 0.255.255.255 any
      access-list 100 deny ip 172.16.0.0 0.15.255.255 any
      access-list 100 deny ip 192.168.0.0 0.0.255.255 any
      access-list 100 deny ip 192.0.2.0 0.0.0.255 any
      access-list 100 deny ip 169.254.0.0 0.0.255.255  any
      access-list 100 deny ip 240.0.0.0 15.255.255.255 any
      access-list 100 permit ip any any

Prevent spoofing
Deny your internal addresses from coming from the outside!

Additionally enter reverse-path-filtering:

      ip verify unicast reverse-path

or a "loose check":

      ip verify unicast source reachable-via any

Per Interface Settings


      interface xy
       no ip source-route
       no ip directed-broadcast
       no ip proxy-arp
       no ip redirects
       no ip unreachables
       no ip mask-reply
       no cdp enable

Rate Limits
If you are positive


      interface xy	
       rate-limit input access-group 100 8000 8000 8000 \
        conform-action transmit exceed-action drop
       rate-limit output access-group 100 8000 8000 8000 \
        conform-action transmit exceed-action drop

      access-list 100 deny tcp any host x.x.x.x established
      access-list 100 permit tcp any host x.x.x.x

      access-list 101 permit icmp any any echo
      access-list 101 permit icmp any any echo-reply

Secure line / aux / vty

Make your Lines more secure

Easy , but usefull.


!
! Console
!
line con 0
 exec-timeout 15 0
 transport input none
!
! AUX Port
!
line aux 0
 exec-timeout 15 0
 no exec
!
! line 0 to 3 for the hole net
!
line vty 0 3
 access-class 1 in
 exec-timeout 15 0
! Enable SSH connectivity. This is much more secure than telnet.
! Obviously, you must have an IOS image that supports SSH, and don't
! forget to generate the key with crypto key generate rsa.
 transport input telnet ssh
!
! line 4 only for the NOC System
!
line vty 4
 access-class 2 in
 exec-timeout 15 0
 transport input ssh
!
!
! Add access-lists:
!
! Allow only specific hosts to telnet into router:
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
! Add access-lists:
!
! Allow only specific hosts to telnet into router:
!
access-list 2 permit 192.168.0.10
!
! Block access to aux.
!
access-list 3 deny 0.0.0.0 255.255.255.255

Some add commands

!
! disable outgoing telnet / ssh ....
!
line vty 0 4 
  transport output none

Exclusive Lock on config file

For Locking the configuration file, that onle one can cahneg the config at once, you need to set it to auto or manual:

		evil-router(config)# configuration mode exclusive auto

and after setting this, you see if you enter in teh config mode:

evil-router#conf t
 Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
Enter configuration commands, one per line.  End with CNTL/Z.
evil-router(config)#

and if someone other is trying, it see's

evil-router#conf t
Configuration mode locked exclusively by user 'trilobit' process '135' from terminal '7'. Please try later.Rollback confirmed change timer is cancelled due to configuration lock error.

for testing the Lock status, and you see, who ist locking the config


evil-router#show configuration lock
Parser Configure Lock
---------------------
Owner PID                        : 135
User                             : routeradmin
TTY                              : 7
Type                             : EXCLUSIVE
State                            : LOCKED
Class                            : EXPOSED
Count                            : 1
Pending Requests                 : 0
User debug info                  : configure terminal
Session idle state               : TRUE
No of exec cmds getting executed : 0
No of exec cmds blocked          : 0
Config wait for show completion  : FALSE
Remote ip address                : 192.168.1.1
Lock active time (in Sec)        : 140
Lock Expiration timer (in Sec)   : 502
evil-router#

manual locking you set the config to

configuration mode exclusive manual

and for Locking, if you config

evil-router#configure terminal lock
 Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit
Enter configuration commands, one per line.  End with CNTL/Z.
evil-router(config)#

Security Documents

NSA Hardening Guide
NSA Hardening Guide IPV6
NSA Switch Hardening Guide
Cisco Hardening Guide

Some other Config File

Just a other Configfile

Some tips...

General

configuration mode exclusive auto expire 600

hostname SECURE-ROUTER

no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
no service dhcp

logging buffered 64000 informational
logging persistent url flash:/LOG size 4096000 filesize 64000
no logging console
no logging monitor
logging origin-id hostname
logging source-interface Loopback0
logging count
logging x.x.x.x
logging y.y.y.y

aaa new-model
aaa local authentication attempts max-fail 10
aaa authentication login default local
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local

username user privilege 1 secret 5 
username admin privilege 15 secret 5 

enable secret 5 

no ip source-route
ip options drop

ip cef

ip dhcp bootp ignore
no ip bootp server

no ip domain lookup

memory reserve critical 16000

secure boot-image

warm-reboot count 10

archive
 log config
  logging enable
  logging size 1000
  hidekeys
 path flash:/ARCHIVE/config
 write-memory

no ip http server
no ip http secure-server

no cdp run

ntp authentication-key 1 md5  7
ntp authenticate
ntp trusted-key 1
ntp source Loopback0
ntp update-calendar
ntp server x.x.x.x key 1
ntp server y.y.y.y key 1

Lines


line con 0
 exec-timeout 60 0
 logging synchronous
 transport preferred none
 transport output none

line aux 0
 exec-timeout 60 0
 logging synchronous
 transport preferred none
 transport output none

line vty 0 n
 no exec
 transport input none
 transport output none

Interfaces

interface Null0
 no ip unreachables

interface Loopback0
 no ip redirects
 no ip unreachables
 no ip proxy-arp

interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no mop enabled
 no cdp enabled

CoPP

class-map match-any CPPR_HOST_CRITICAL
 match protocol bgp

class-map match-any CPPR_HOST_ICMP
 match protocol icmp

class-map match-any CPPR_HOST_NORMAL
 match protocol ntp
 match protocol ssh
 match protocol sntp

class-map match-any CPPR_HOST_IP
 match protocol ip

class-map match-any CPPR_TRANSIT_CRITICAL
 match protocol ospf
 match protocol bgp

class-map match-any CPPR_TRANSIT_IP
 match protocol ip

class-map match-any CPPR_CEF-EXCEPTION_CRITICAL
 match protocol arp

class-map match-any CPPR_CEF-EXCEPTION_IP
 match protocol ip


policy-map CPPR_HOST
 class CPPR_HOST_CRITICAL
 class CPPR_HOST_ICMP
   police 128000
 class CPPR_HOST_NORMAL
   police 512000
 class CPPR_HOST_IP
   drop

policy-map CPPR_TRANSIT
 class CPPR_TRANSIT_CRITICAL
 class CPPR_TRANSIT_IP
   police 512000

policy-map CPPR_CEF-EXCEPTION
 class CPPR_CEF-EXCEPTION_CRITICAL
 class CPPR_CEF-EXCEPTION_IP
   police 512000

control-plane host
 service-policy input CPPR_HOST
control-plane transit
 service-policy input CPPR_TRANSIT
control-plane cef-exception
 service-policy input CPPR_CEF-EXCEPTION