Try   HackMD
IOS Security Configuration

Cisco AutoSecure

Released in IOS version 12.3, AutoSecure is a security tool that can be used to scan the security configurations of Cisco IOS devices and rectify certain vulnerabilities. AutoSecure is often used in the field to provide a baseline security policy on a new router. Features can then be altered to support the security policy of the organization.

AutoSecure can lock down the management plane functions and the forwarding plane services and functions of a router.

There are several management plane services and functions that can be configured by AutoSecure:

  • Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, and TCP small servers, MOP, ICMP (redirects, mask-replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous ARP, proxy ARP, and directed broadcast
  • Legal notification using a banner
  • Secure password and login functions
  • Secure NTP
  • Secure SSH access
  • TCP intercept services

There are three forwarding plane services and functions that are enabled by AutoSecure:

  • Cisco Express Forwarding (CEF)
  • Traffic filtering with ACLs
  • Cisco IOS firewall inspection for common protocols

AutoSecure Command Syntax

To enable Cisco AutoSecure, use the following command:

Device# auto secure {no-interact | full} [forwarding | management] [ntp | login | ssh | firewall | top-intercept]

The login enhancement configuration commands are described below:

Parameter Description
no-interact
 The user will not be prompted for any interactive configurations. No interactive dialogue parameters will be configured, including usernames or passwords.
full
 The user will be prompted for all interactive questions. This is the default setting.
forwarding
 Only the forwarding plane will be secured.
management
 Only the management plane will be secured.
ntp
 Only configure the NTP feature.
login
 Only configure the login feature.
ssh
 Only configure the SSH feature.
firewall
 Only configure the firewall feature.
tcp-intercept
 Only configure the TCP Intercept feature.

AutoSecure should only be used when a router is initially being configured. It is not recommended for use on production routers.

Secure Administrative Access

Authentication

To secure user EXEC mode access, enter line console configuration mode using the line console 0 global configuration command. Specify the user EXEC mode password using the password password command. Finally, enable user EXEC access using the login command.

S1# configure terminal
S1(config)# line console 0
S1(config-line)# password cisco
S1(config-line)# login
S1(config-line)# exit
S1(config)# 

// Virtual terminal (VTY) lines enable remote access
//  using Telnet or SSH to the device.

S1(config)# line vty 0 15
S1(config-line)# password cisco 
S1(config-line)# login 
S1(config-line)# end
S1#

To secure privileged EXEC access, use the enable secret password global config command, as shown in the example.

S1# configure terminal
S1(config)# enable secret class
S1(config)# exit
S1#

Password Encryption

The startup-config and running-config files display most passwords in plaintext. To encrypt all plaintext passwords, use the service password-encryption global config command.

R1(config)# service password-encryption 
R1(config)# security passwords min-length 8 
R1(config)# login block-for 120 attempts 3 within 60
R1(config)# line vty 0 4 
R1(config-line)# password cisco 
R1(config-line)# exec-timeout 5 30 
R1(config-line)# transport input ssh 
R1(config-line)# end 
R1#

MD5 hashes are no longer considered secure because attackers can reconstruct valid certificates. The enable secret password command shown in the figure uses an MD5 hash by default. Therefore, it is now recommended that you configure all secret passwords using either type 8 or type 9 passwords. Type 8 and type 9 were introduced in Cisco IOS 15.3(3)M.

To set an encrypted password, use the enable algorithm-type command syntax:

// enable algorithm-type { md5 | scrypt | sha256 | secret } <password>
R1(config)# enable algorithm-type scrypt secret cisco12345

The options for the command are described below:

Algorithm Keyword Description
md5
 Type 5; selects the message digest algorithm 5 (MD5) as the hashing algorithm.
scrypt
 Type 9; selects scrypt as the hashing algorithm. [best option]
sha256
 Type 8; selects Password-Based Key Derivation Function 2 (PBKDF2) with Secure Hash Algorithm, 256-bits (SHA-256) as the hashing algorithm.
secret
 stores the password in plaintext

Type 8 and type 9 encryption was also introduced in Cisco IOS 15.3(3)M for the username secret command:

// username <name> algorithm-type { md5 | scrypt | sha256 | secret } <password>
R1(config)# username Bob algorithm-type scrypt secret cisco54321

Additional Login Security

These login enhancements can only be enabled if the local database is used for authentication for local and remote access. If the lines are configured for password authentication only, then the enhanced login features are not enabled.

R1(config)# login block-for 15 attempts 5 within 60 
R1(config)# ip access-list standard PERMIT-ADMIN
R1(config-std-nacl)# remark Permit only Administrative hosts     
R1(config-std-nacl)# permit 192.168.10.10
R1(config-std-nacl)# permit 192.168.11.10 
R1(config-std-nacl)# exit 
R1(config)# login quiet-mode access-class PERMIT-ADMIN   
R1(config)# login delay 10  
R1(config)# login on-success log
R1(config)# login on-failure log every 3
R1(config)#

All login enhancement features are disabled until the login block-for command is configured.

The login enhancement configuration commands are described below:

Command Importance
login block-for
 Can defend against DoS attacks by disabling logins after a specified number of failed login attempts. When implemented, a one-second delay between login attempts is automatically invoked.
login quiet-mode
 Maps to an ACL that identifies the permitted hosts. This ensures that only authorized hosts can attempt to login to the router. Reset using the login normal-mode command.
login delay
 Specifies a number of seconds the user must wait between unsuccessful login attempts. Defaults to one second.
login on-[success|failure]
 Log successful and unsuccessful login attempts. The number of login attempts before a logging message is generated can be specified by appending every attempts to the command, where the default attempts value is 1 attempt. The valid range is from 1 to 65,535.

These login configuration commands do not apply to console connections. When dealing with console connections, it is assumed that only authorized personnel have physical access to the devices.

As an alternative to the login on-failure log command, the security authentication failure rate command can be configured to generate a log message when the login failure rate is exceeded.

R1(config)# security authentication failure rate <count> log

Enable SSH

  1. Configure a unique device hostname.
  2. Configure the IP domain.
  3. Configure SSH key pairs using the RSA algorithm.
  4. Verify or create an admin user with any necessary privileges.
  5. Enable SSH version 2.
  6. Configure desired SSH security settings.
  7. Configure console VTY lines to only allow SSH connections.
  8. Configure either a local or remote database for authentication.
  9. Set the router to automatically disconnect an inactive user on a VTY line if the line has been idle for 5 minutes and 30 seconds.
Switch(config)# hostname S1
S1(config)# ip domain name example.com
S1(config)# crypto key zeroize rsa
S1(config)# crypto key generate rsa general-keys modulus 1024
S1(config)# username SSHadmin privilege 15 secret ciscosshpa55
S1(config)# ip ssh version 2
S1(config)# ip ssh timeout 90
S1(config)# ip ssh authentication-retries 2
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exec-timeout 5 30 
S1(config-line)# end
S1# show crypto key mypubkey rsa
! % Key pair was generated at: 21:18:41 UTC Feb 16 2015 
! Key name: S1.example.com 
! Key type: RSA KEYS 
! 
! <...output omitted...>

Inter-Router SSH Connections

A Cisco router can connect via SSH to another SSH-enabled router using the ssh -l username ip-address command:

R1# ssh -l Bob 192.168.2.101 
 
Password:  
 
R2> enable
R2# show ssh 
! Connection Version Mode Encryption  Hmac       State             ! Username 
! 0          2.0     IN   aes128-cbc  hmac-sha1  Session started   ! Bob 
! 0          2.0     OUT  aes128-cbc  hmac-sha1  Session started   ! Bob 
! %No SSHv1 server connections running. 
R2#

Privilege Levels

There are 16 privilege levels in total, as listed below. Commands that are available at lower privilege levels are also executable at higher levels.

  • Level 0 — Predefined for user-level access privileges. Seldom used, but includes five commands: disable, enable, exit, help, and logout.
  • Level 1 — The default level for login with the router prompt Router >. A user cannot make any changes or view the running configuration file.
  • Levels 2-14 — May be customized for user-level privileges. Commands from lower levels may be moved up to another higher level, or commands from higher levels may be moved down to a lower level.
  • Level 15 — Reserved for the enable (privileged EXEC) mode privileges (enable command). Users can change configurations and view configuration files.

To assign commands to a custom privilege level, use the privilege global configuration mode:

// privilege <mode> [level {<level>|reset} <command>]
Router(config)# privilege exec level 5 ping

The use of privilege levels has its limitations:

  • There is no access control for interfaces, ports, logical interfaces, and slots on a router.
  • Commands available at lower privilege levels are always executable at higher levels.
  • Commands specifically set at a higher privilege level are not available to lower privileged users.
  • Assigning a command with multiple keywords allows access to all commands that use those keywords. For example, allowing access to show ip route allows the user access to all show and show ip commands.

There are two methods to create passwords for the various privilege levels:

Router(config)# username <name> privilege <level> secret <password>
Router(config)# enable [algorithm-type <type>] secret level <level> <password>

Both the username secret and the enable secret commands are configured for type 9 encryption.

Role-Based Access

This feature provides granular access to the OS by controlling which commands are available to specific roles. Each view defines the CLI commands that each user can access. Additionally, administrators can control user access to specific ports, logical interfaces, and slots on a router.

Role-based CLI provides three types of views that dictate which commands are available:

  • Root View — Has the same access privileges as a user who has level 15 privileges. Only a root view user can configure a new view and add or remove commands from the existing views.
  • CLI View — Bundled set of available commands. Each view must be assigned all commands associated with that view. Views cannot inherit commands from other views.
  • Superview — Consists of one or more CLI views. Superviews allow a network administrator to assign users and groups of users multiple CLI views at once. Superviews cannot directly be assigned a command. Each superview has a password that is used to access it.

View Configuration

Before an administrator can create a view, AAA must be enabled using the aaa new-model command. To configure and edit views, an administrator must log in as the root view using the enable view [root] command. When prompted, enter the enable secret password.

Excluding the root view, there is a maximum limit of 15 views.

There are three steps to create and manage a specific view:

  1. Create a view using the parser view view-name global configuration command.
  2. Assign a secret password to the view using the secret password view configuration command. The password must be created immediately after creating a view, otherwise, an error message will appear.
  3. Assign commands to the selected view using the commands parser-mode command.
 Router(config-view)# commands parser-mode {include | include-exclusive | exclude} [all] [interface interface-name | command]

The options for the command are described below:

Parameter Description
parser-mode
 The mode in which the specified command exists; for example, EXEC mode.
include
 Adds a command or an interface to the view and allows the same command or interface to be added to other views.
include-exclusive
 Adds a command or an interface to the view and excludes the same command or interface from being added to all other views.
exclude
 Excludes a command or an interface from the view.
all
 A "wildcard" that allows every command in a specified configuration mode that begins with the same keyword or every subinterface for a specified interface to be part of the view.
interface interface-name

command
Interface that is added to the view.

Command that is added to the view.

Superview Configuration

There are three steps to create and manage a superview:

  1. Create a superview using the parser view view-name superview global configuration command.
  2. Assign a secret password to the view using the secret password view configuration command. The password must be created immediately after creating the superview, otherwise, an error message will appear.
  3. Assign an existing view using the view view-name command.

To verify view configuration, use show parser view [all]

IOS Hardening

Cisco IOS Resilient Configuration features allow for faster recovery if someone maliciously or unintentionally reformats flash memory or erases the startup configuration file in NVRAM.

These features maintain a secure working copy of the device's IOS image file or the running configuration file. These secure files cannot be removed by the user and are referred to as the primary bootset.

IOS Image Resilience is only available on older routers that support a PCMCIA Advanced Technology Attachment (ATA) flash interface. Newer routers such as the ISR 4000 do not support this feature.

Cisco IOS file system prevents secured files from being listed in the output of the dir command. Use the show secure bootset command to verify the existence of a secured archive or IOS image.

Enable IOS Image Resilience

To secure the IOS image and enable Cisco IOS image resilience, use the secure boot-image global configuration mode command. When enabled for the first time, the running Cisco IOS image is secured and a log entry is generated.

Image Resilience can only be disabled through a console session using the no secure boot-image global configuration command.

This command functions properly only when the system is configured to run an image from a flash drive with an ATA interface. Additionally, the running image must be loaded from persistent storage to be secured as primary.

Images that are loaded from a remote location, such as a TFTP server, cannot be secured.

Enable Running-Configuration Resilience

To copy the running-configuration and securely archive it in persistent storage, use the secure boot-config global configuration command. The configuration archive is hidden and cannot be viewed or removed directly from the CLI prompt.

Subsequent use of the secure boot-config command will update the archived configuration to match the latest version.

The configuration file in the primary bootset is a copy of the running configuration that was in use when the feature was first enabled.

Remote Backup of Secure Archives

Secure Copy Protocol (SCP) is used to remotely backup Resilient Configuration files. SCP provides a secure and authenticated method for copying router configuration or router image files to a remote location.

SCP requires the SSH and AAA features to be enabled.

Use the following steps to configure a router or switch for server-side SCP with local AAA:

  1. Use the aaa authentication login default local command to use the local database for authentication.
  2. Use the aaa authorization exec default local command to configure command authorization.
  3. Enable SCP server-side functionality with the ip scp server enable command.
R1(config)# aaa authentication login default local 
R1(config)# aaa authorization exec default local   
R1(config)# ip scp server enable

To copy a file to a remote location using SCP, use the copy source scp: command. A series of prompts will be presented in order to configure the destination of the SCP action:

R2# copy 'flash0:R2backup.cfg' scp:
Address or name of remote host []? '10.1.1.1'
Destination username [R1]? 'Bob'
Destination filename [R2backup.cfg]?
! Writing R2backup.cfg
Password: <cisco12345>
!
! 1381 bytes copied in 8.596 secs (161 bytes/sec) 

R2#

The most common authentication issue is an incorrect username/password combination. There is also an authentication failure if the username/password combination was not assigned the privilege 15 configuration on the SCP server.

Enter the debug ip scp command to watch the transfer proceed, if verification is needed.

Restoring the Primary Bootset

To restore the primary bootset from a secure archive:

  1. Restart the router using the reload command. If necessary, issue the break sequence to enter ROM monitor (ROMmon) mode.
  2. From ROMmon mode, enter the dir drive command to list the contents of the storage device that contains the secure bootset file.
  3. Boot the router with the secure bootset image using the boot filepath command, pointing to the secure archive found in Step 2.
  4. Enter global configuration mode and restore the secure configuration to a filepath of your choice using the secure boot-config restore filepath command.
  5. Exit global configuration mode and issue the copy source running-configuration command (using the restored file from Step 3 as the source) to copy the rescued configuration file to the running configuration.

Recovery Mode

If a router is compromised or needs to be recovered from a misconfigured password, an administrator must follow the password recovery procedure. Depending on the device, this procedure may vary.

Password Recovery Procedure

  1. Connect to the device's console port.
  2. Use the show version command to display the configuration register setting and document the value (e.g., 0x2102`).
  3. Power cycle the router.
  4. Issue the break sequence (e.g., CTRL-BREAK) to enter ROMMON mode.
  5. Change the default configuration register with the confreg 0x2142 command.
  6. Reboot the device using the reset command.
  7. Press CTRL-C to skip the initial setup procedure.
  8. Enter privileged EXEC mode.
  9. Copy the startup configuration to the running configuration using the copy startup-config running-config command.
  10. Verify the configuration.
  11. Change the enable secret password.
  12. restore the configuration register to the previous setting that was documented in Step 2 using the config-register address global configuration command.
  13. Save the configuration changes using the copy running-config startup-config command. On the next reboot, the router will load the new startup configuration file that contains the changed password.

For security reasons, password-recovery requires the administrator to have physical access to the router through a console cable.

If an attacker gains physical access to a router or switch, they could potentially gain control of the device through the password recovery procedure. This leaves the router configuration intact, making this type of attack difficult to detect.

Administrators can mitigate this potential risk by using the no service password-recovery global configuration command. Once password-recovery is disabled, all access to ROMmon mode is disabled.

An attacker may use the password-recovery method to discover the device configuration and other pertinent information about the network, such as traffic flows and access control restrictions.

To recover a device after the password-recovery service is disabled, initiate the break sequence within five seconds after the image decompresses during the boot. You will be prompted to confirm the break key action. After confirmation, the startup configuration is completely erased, and the router boots with the factory default configuration. If you do not confirm the break action, the router boots normally with the password-recovery feature still disabled.

Last changed by 
Faelin Landy
0
1351

Read more

Ruby on Rails Tutorial, pt. 1 – Ruby

Overview of the &quot;Ruby&quot; part of Ruby on Rails

Jan 25, 2024
ASA Firewall Configuration

ASA Firewall Configuration [toc] --- Getting Started ASA CLI Overview The ASA command line interface has a similar look and feel to the Cisco router IOS. However, the ASA CLI also has different commands. This table contrasts common IOS router and ASA commands.

Nov 21, 2021
Network Security Configuration

Network Security Configuration [toc] --- {%hackmd r8ZvM3noSwKf-NviH6Qb3Q %} Dynamic Routing Protocol Security Routing systems can be attacked by disrupting peer network routers, or by falsifying or spoofing the information carried within the routing protocols. Spoofing routing information may generally be used to cause systems to misinform each other, cause a DoS attack, or cause traffic to follow a path it would not normally follow.

Nov 21, 2021
VPN Configuration

VPN Configuration [toc] --- Overview To secure network traffic between sites and users, organizations use virtual private networks (VPNs) to create end-to-end private network connections. VPNs are private in that traffic over a VPN is encrypted to keep the data confidential while it is transported across a public network. :::info The first types of VPNs were strictly IP tunnels that did not include authentication or encryption of the data. For example, Generic Routing Encapsulation (GRE), which does not include encryption services, is used to encapsulate IPv4 and IPv6 traffic inside an IP tunnel to create a virtual point-to-point link.

Nov 18, 2021
Read more from Faelin Landy
Published on HackMD