Due to the number of CLI commands needed to manually disable services in an attempt to make the router more secure, Cisco introduced the AutoSecure feature from the Major Release 12.3 and subsequent 12.3 T.
AutoSecure is a good command for customers without special Security Operations Applications because it allows them to quickly secure their network without thorough knowledge of all the Cisco IOS features.
The command is available for the Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers.
There are 2 mode:
- Interactive mode: prompts the user with options to enable and disable services and other security features
- Non-interactive mode: automatically executes the Cisco AutoSecure command with the recommended Cisco default settings
Cisco Autosecure command:
Ciscozine#auto secure ? forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP tcp-intercept AutoSecure TCP Intercept <cr> Ciscozine#
To verify Cisco AutoSecure settings use show auto secure config
Cisco AutoSecure performs the following functions:
- Disables the following Global Services
- Finger
- PAD
- Small Servers
- Bootp
- HTTP service
- Identification Service
- CDP
- NTP
- Source Routing
- Enables the following Global Services
- Password-encryption service
- Tuning of scheduler interval/allocation
- TCP synwait-time
- TCP-keepalives-in and tcp-kepalives-out
- SPD configuration
- No ip unreachables for null 0
- Disables the following services per interface
- ICMP
- Proxy-Arp
- Directed Broadcast
- Disables MOP service
- Disables icmp unreachables
- Disables icmp mask reply messages
- Provides logging for security
- Enables sequence numbers & timestamp
- Provides a console log
- Sets log buffered size
- Provides an interactive dialogue to configure the logging server ip address
- Secures access to the router
- Checks for a banner and provides facility to add text to automatically configure:
- Login and password
- Transport input & output
- Exec-timeout
- Local AAA
- SSH timeout and ssh authentication-retries to minimum number
- Enable only SSH and SCP for access and file transfer to/from the router
- Disables SNMP If not being used
- Secures the Forwarding Plane
- Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
- Anti-spoofing
- Blocks all IANA reserved IP address blocks
- Blocks private address blocks if customer desires
- Installs a default route to NULL 0, if a default route is not being used
- Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
- Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image
- Enables NetFlow on software forwarding platforms
Example of autosecure command
Ciscozine#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: y Enter the number of interfaces facing the internet [1]: Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down Serial1/0 unassigned YES unset administratively down down Serial1/1 unassigned YES unset administratively down down Serial1/2 unassigned YES unset administratively down down Serial1/3 unassigned YES unset administratively down down Enter the interface name that is facing the internet: Serial1/0 Securing Management plane services... Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: k Ciscozine.com - Hot area :)) k Enable secret is either not configured or is the same as enable password Enter the new enable secret: Confirm the enable secret : Enter the new enable password: Confirm the enable password: Configuration of local user database Enter the username: ciscozine Enter the password: Confirm the password: Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 3 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 3 Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services... Enabling CEF (This might impact the memory requirements for your platform) Enabling unicast rpf on all interfaces connected to internet Tcp intercept feature is used prevent tcp syn attack on the servers in the network. Create autosec_tcp_intercept_list to form the list of servers to which the tcp traffic is to be observed Enable tcp intercept feature? [yes/no]: y This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^C Ciscozine.com - Hot area :)) ^C security passwords min-length 6 security authentication failure rate 10 log enable secret 5 $1$XGFq$Nq2G8VKVu23Hgj9qv3aJa0 enable password 7 1446405858517AAA25 username ciscozine password 7 01194F175804575D72 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet login block-for 3 attempts 3 within 3 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/2 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface Serial1/3 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef access-list 100 permit udp any any eq bootpc interface Serial1/0 ip verify unicast source reachable-via rx allow-default 100 ip tcp intercept list autosec_tcp_intercept_list ip tcp intercept drop-mode random ip tcp intercept watch-timeout 15 ip tcp intercept connection-timeout 3600 ip tcp intercept max-incomplete low 450 ip tcp intercept max-incomplete high 550 ! end Apply this configuration to running-config? [yes]: y Applying the config generated to running-config Ciscozine#
More info on http://www.cisco.com/…/book/autosec.html