Using AutoSecure to secure a router

Due to the number of CLI commands needed to manually disable services in an attempt to make the router more secure, Cisco introduced the AutoSecure feature from the Major Release 12.3 and subsequent 12.3 T.
AutoSecure is a good command for customers without special Security Operations Applications because it allows them to quickly secure their network without thorough knowledge of all the Cisco IOS features.

The command is available for the Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers.

There are 2 mode:

  • Interactive mode: prompts the user with options to enable and disable services and other security features
  • Non-interactive mode: automatically executes the Cisco AutoSecure command with the recommended Cisco default settings

Cisco Autosecure command:

Ciscozine#auto secure ?
forwarding Secure Forwarding Plane
full Interactive full session of AutoSecure
login AutoSecure Login
management Secure Management Plane
no-interact Non-interactive session of AutoSecure
ntp AutoSecure NTP
tcp-intercept AutoSecure TCP Intercept
<cr>
Ciscozine#

To verify Cisco AutoSecure settings use show auto secure config

Cisco AutoSecure performs the following functions:

  1. Disables the following Global Services
    • Finger
    • PAD
    • Small Servers
    • Bootp
    • HTTP service
    • Identification Service
    • CDP
    • NTP
    • Source Routing
  2. Enables the following Global Services
    • Password-encryption service
    • Tuning of scheduler interval/allocation
    • TCP synwait-time
    • TCP-keepalives-in and tcp-kepalives-out
    • SPD configuration
    • No ip unreachables for null 0
  3. Disables the following services per interface
    • ICMP
    • Proxy-Arp
    • Directed Broadcast
    • Disables MOP service
    • Disables icmp unreachables
    • Disables icmp mask reply messages
  4. Provides logging for security
    • Enables sequence numbers & timestamp
    • Provides a console log
    • Sets log buffered size
    • Provides an interactive dialogue to configure the logging server ip address
  5. Secures access to the router
    • Checks for a banner and provides facility to add text to automatically configure:
    • Login and password
    • Transport input & output
    • Exec-timeout
    • Local AAA
    • SSH timeout and ssh authentication-retries to minimum number
    • Enable only SSH and SCP for access and file transfer to/from the router
    • Disables SNMP If not being used
  6. Secures the Forwarding Plane
    • Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
    • Anti-spoofing
    • Blocks all IANA reserved IP address blocks
    • Blocks private address blocks if customer desires
    • Installs a default route to NULL 0, if a default route is not being used
    • Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
    • Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image
    • Enables NetFlow on software forwarding platforms

Example of autosecure command

Ciscozine#auto secure
                --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: y
Enter the number of interfaces facing the internet [1]:

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            unassigned      YES unset  administratively down down
FastEthernet0/1            unassigned      YES unset  administratively down down
Serial1/0                  unassigned      YES unset  administratively down down
Serial1/1                  unassigned      YES unset  administratively down down
Serial1/2                  unassigned      YES unset  administratively down down
Serial1/3                  unassigned      YES unset  administratively down down
Enter the interface name that is facing the internet: Serial1/0

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:
k
Ciscozine.com - Hot area :))
k
Enable secret is either not configured or
 is the same as enable password
Enter the new enable secret:
Confirm the enable secret :
Enter the new enable password:
Confirm the enable password:

Configuration of local user database
Enter the username: ciscozine
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 3

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 3

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet
Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed
Enable tcp intercept feature? [yes/no]: y

This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^C
Ciscozine.com - Hot area :))
^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$XGFq$Nq2G8VKVu23Hgj9qv3aJa0
enable password 7 1446405858517AAA25
username ciscozine password 7 01194F175804575D72
aaa new-model
aaa authentication login local_auth local
line con 0
 login authentication local_auth
 exec-timeout 5 0
 transport output telnet
line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet
line vty 0 4
 login authentication local_auth
 transport input telnet
login block-for 3 attempts 3 within 3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface Serial1/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial1/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial1/2
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
interface Serial1/3
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
ip cef
access-list 100 permit udp any any eq bootpc
interface Serial1/0
 ip verify unicast source reachable-via rx allow-default 100
ip tcp intercept list autosec_tcp_intercept_list
ip tcp intercept drop-mode random
ip tcp intercept watch-timeout 15
ip tcp intercept connection-timeout 3600
ip tcp intercept max-incomplete low 450
ip tcp intercept max-incomplete high 550
!
end
Apply this configuration to running-config? [yes]: y

Applying the config generated to running-config
Ciscozine#

More info on http://www.cisco.com/…/book/autosec.html

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.