Locking down a Cisco router and security tips for a network gateway

Lockdown/Securing tips of a Cisco router and Network

1 – Before you start here is a good command to prevent get blocked from access to your router when you are working remotely :

reload in 5

and then apply the new commands and if everything is fine (if not router will be restarted in 5 min)  :

reload cancel

2 – Automatic wizard to secure the router :

Router#auto secure

3 – Some useful security commands :

Router(config)#no service password-recovery

Router(config)#security password lenght ?
Router(config)#security authentication failour ?

Router(config)#username rassoul secret cisco                                # using secret instead of password

Router(config)#login block-for 100 attempts 5 within 60
Router(config)#login quite-mode access-class allowed-acl
Router(config)#login delay ?
Router(config)#login on-failour ?
Router(config)#login on-success ?

Router(config)#banner ?

Router(config)#secure boot-image                                   # to secure IOS in flash (not removable)
Router(config)#secure boot-config                                   # to secure config in flash (not removable)
have to run “no secure boot-image/boot-config” from console

4 – Use aaa configuration :

Router(config)#aaa new-model

5 – Role based privileges :

Router#enable view
Password:

Router#conf t
Router(config)#parser view ?
Router(config)#parser view monitor                                 # creates a view mode with monitor name
Router(config-view)#commands ?
Router(config-view)#commands exec ?                            # Specify command for view mode

Router>enable view ?
Router>enable view monitor                                            # to use your view mode
Password:

6 – Use access-lists (standard,extended,established,time-based,CBAC,dynamic)

7 – Set up : SSH , SYSLOG , SNMP , NTP

SNMP ver 3

Router(config)#snmp-server engineID local ?
Router(config)#snmp-server group ?                            # to map a user to view
Router(config)#snmp-server user ?
Router(config)#snmp-server view ?

8 – CBAC

Router(config)#ip inspect INSPECT-NAME appfw APPFW-NAME
Router(config)#ip inspect INSPECT-NAME tcp
Router(config)#ip inspect INSPECT-NAME udp
Router(config)#appfw policy-name APPFW-NAME
Router(cfg-appfw-policy)#application im aol

Router(cfg-appfw-policy-aim)#service default action reset alarm
Router(cfg-appfw-policy-aim)#service text-chat action reset alarm
Router(cfg-appfw-policy-aim)#server deny name login.oscar.aol.com
Router(cfg-appfw-policy-aim)#server deny name toc.oscar.aol.com
Router(cfg-appfw-policy-aim)#audit-trail on

Router(config)#int fa0/0
Router(config-if)# ip inspect INSPECT-NAME inn

Router(config)#int dialer 0
Router(config-if)#ip access-list BLOCK-IN in

9 – IPS/IDS

Download SDF file and put in your flash (exmple : 128MB.sdf)

Router(config)#no ip ips sdf builtin
Router(config)#ip ips sdf location flash://128MB.sdf
Router(config)#ip ips name IPS-NAME
Router(config)#ip ips signature ?                                    #to disable or delete a signature number
Router(config)#int dialer 0
Router(config-if)#ip ips IPS-NAME in
Router(config)#ip ips notify log