Search

Cisco Router/Switch Common Security Vulnerabilities and Router/Switch Hardening

Cisco Routers and Switches are not security devices and they are made for Routing and Switching. There are many features present in Cisco Routers and Switches, which can be misused by an attacker to gain control over your network. The "Security Audit" wizard, which is included with Cisco Configuration Professional (CCP) can be used to conduct a Security Audit in your Cisco Routers and Switches and identify potential security risks in a Cisco Router / Switch's configuration settings.

Following are the security risks which may present in your Cisco Router / Switch and some suggestions to Harden Cisco Router / Switch.

Finger Service: Finger Service can be used to find out the users who are logged in to a Cisco Router / Switch. If "finger" service is enabled, when users connect to the router using "telnet <ip_address> finger", router will reveal the users who are logged in and then close the telnet connection. An attacker may able to collect valid usernames and IP addresses from "telnet <ip_address> finger" output.

A screen shot of telnet finger command is copied below.

Telnet Finger

To disable Finger Service, use "no service finger" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no service finger
OmniSecuR1(config)#exit
OmniSecuR1#

• TCP and UDP Small Servers Service: TCP and UDP small servers are services that run in Cisco Routers and Switches which are useful for diagnostics and troubleshooting. Old Cisco IOS versions has by default "Small Services" enabled. New IOS versions has "Small Services" are disabled by default. "Small Services" useful for diagnostics purposes, but attackers can use the "Small Services" to launch denial-of-service(DoS) attacks and other network based attacks against Cisco Routers and Switches, when "Small Services" is enabled.

The TCP small servers are:

Echo: Echo Echoes back whatever you type through the "telnet <ip_address> echo" command.

Chargen: Generates a stream of ASCII data. Use the telnet "<ip_address> chargen" command.

Discard: Throws away whatever you type. Use the "telnet <ip_address> discard" command.

Daytime: Returns system date and time. Use the "telnet <ip_address> discard" command.

The UDP small servers are also similar services.

Echo: Echoes the the datagram.

Discard: Throws away the datagram.

Chargen: Floods with a string of ASCII characters.

Following outputs shows "Echo", "Chargen", "Discard" and "Daytime" TCP Small services.

TCP Small Services Echo

Above - TCP Small Services - Echo

TCP Small Services Chargen

Above - TCP Small Services - Chargen

TCP Small Services Discard

Above - TCP Small Services - Discard

TCP Small Services Daytime

Above - TCP Small Services - Daytime

To disable TCP and UDP Small Service, use "no service tcp-small-servers" and "no service udp-small-servers" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no service tcp-small-servers
OmniSecuR1(config)#no service udp-small-servers
OmniSecuR1(config)#exit
OmniSecuR1#

IP BOOTP Server Service: IP BOOTP Server Service allows an attacker to download Cisco Routers IOS software. IP BOOTP Server Service can also used by an attacker to launch Denial-of-Service (DoS) attacks.

To disable IP BOOTP Server Service, use "no ip bootp server" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no ip bootp server
OmniSecuR1(config)#exit
OmniSecuR1#

Cisco Discovery Protocol (CDP): Cisco Discoery Protocol (CDP) carry sensitive information like the Router/Switch model number and the Cisco IOS software version. Attackers can use these information to lauch attack against Cisco Routers/Switches.

To disable Cisco Discovery Protocol (CDP), use "no cdp run" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no cdp run
OmniSecuR1(config)#exit
OmniSecuR1#

IP Identification Service: IP Identification Service allows an attacker to query a TCP port and identify the Router model number and the Cisco IOS used.

To disable IP Identification Service, use "no ip identd" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no ip identd
OmniSecuR1(config)#exit
OmniSecuR1#

IP Source Route: IP Source Route allows a sender of an IPv4 datagram packet to specify the route the IPv4 datagram packet takes through the network. IP Source Route allows an attacker to control the path which the IPv4 datagram packet travels.

To disable IP Source Route, use "no ip identd" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no ip source-route
OmniSecuR1(config)#exit
OmniSecuR1#

IP Gratuitous ARP (Address Resolution Protocol): IP Gratuitous ARP (Address Resolution Protocol) is used by network devices to inform the network about its IPv4 address or change in Ipv4 address. Gratuitous ARP (Address Resolution Protocol) is sent without the ARP request from another device. Gratuitous ARP (Address Resolution Protocol) can be used to launch man-in-the-middle attacks.

To disable Gratuitous ARP (Address Resolution Protocol), use "no ip gratuitous-arps" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no ip gratuitous-arps
OmniSecuR1(config)#exit
OmniSecuR1#

Simple Network Management Protocol (SNMP): Simple Network Management Protocol (SNMP) is the most widely used protocol for Router/Switch monitoring, and also for remote router configuration changes. SNMPv1, can cause security related risk because, SNMPv1 community strings for authentication and it is sent across the network in plain text. SNMP can create severe security related issues when operating in Read-Write mode.

To disable Simple Network Management Protocol (SNMP), use "no ip gratuitous-arps" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no snmp-server
OmniSecuR1(config)#exit
OmniSecuR1#

IP Redirects: Internet Message Control Protocol (ICMP) redirect messages instruct a network device to use a specific router as its path to a particular destination. IP redirect messages can be used by an attacker to attack networks.

To disable Internet Message Control Protocol (ICMP) redirect, use "no ip icmp redirect" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#no ip icmp redirect
OmniSecuR1(config)#exit

IP Proxy ARP (Address Resolution Protocol): ARP (Address Resolution Protocol) is used to resolve IP addresses into MAC addresses. Destination MAC address of an ARP packet is broadcast MAC address (ff:ff:ff:ff:ff:ff) its scope is limited to local LAN. IP Proxy ARP allows a Cisco router to act as a proxy for ARP requests, to forward the ARP packets to next LAN segment.

To disable IP Proxy ARP (Address Resolution Protocol), use "no ip proxy-arp" command from the Interface Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#interface fastEthernet 0/0
OmniSecuR1(config-if)#no ip proxy-arp
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

IP Directed Broadcast: An IP directed broadcast is a type of broadcast where an IPv4 datagram is sent to the directed broadcast address of an IPv4 subnet. The sender of directed broadcast may be from a different network. The directed broadcast IPv4 datagram is routed through the network as a unicast packet to the related subnet, and from there it is sent to the destination LAN as a layer 2 broadcast.

To disable IP directed broadcast, use "no ip directed-broadcast" command from the Interface Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#interface fastEthernet 0/0
OmniSecuR1(config-if)#no ip directed-broadcast
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

IP Unreachables: ICMP Unreachable messages are sent out if a router receives an IPv4 datagram packet and its destination network is unkown because there is no route configured in the router to the destination network.IP Unreachable messages can be used by an attacker to gain information about the target networks.

To disable IP directed broadcast, use "no ip unreachables" command from the Interface Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#interface fastEthernet 0/0
OmniSecuR1(config-if)#no ip unreachables
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

Maintenance Operations Protocol (MOP): Maintenance Operations Protocol (MOP) is a protocol related with DECNet. Maintenance Operations Protocol (MOP) is vulnerable to various network based attacks.

To disable Maintenance Operations Protocol (MOP), use "no mop enabled" command from the Interface Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#int fastEthernet 0/0
OmniSecuR1(config-if)#no mop enabled
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

Internet Message Control Protocol (ICMP) mask reply messages: Internet Message Control Protocol (ICMP) mask reply messages are sent when a network device want to get the subnet mask information of a subnet. Internet Message Control Protocol (ICMP) mask reply messages can be used by an attacker for reconnaissance.

To disable Internet Message Control Protocol (ICMP) mask reply messages, use "no ip mask-reply" command from the Interface Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#interface fastEthernet 0/0
OmniSecuR1(config-if)#no ip mask-reply
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#

TCP Keepalives: TCP keepalive messages are used by the router to check broken network connections like Telnet. It is better to enable TCP Keepalives for security and to free router resources.

To enable TCP keepalive messages, use "service tcp-keepalives-in" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#service tcp-keepalives-in
OmniSecuR1(config)#exit
OmniSecuR1#

Minimum Password Length: Short passwords are easy to crack and it is a serious security issue. To enhance Cisco Router / Switch security, set a minimum password length.

To configure a minimum password length as 6, use "security passwords min-length 6" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#security passwords min-length 6
OmniSecuR1(config)#exit
OmniSecuR1#

Authentication Failure Rate: Authentication Failure Rate configuration allows a security administrator to configure the router to lock itself after 3 unsuccessful login attempts. Authentication Failure Rate provide a level of protection against network based password attacks. Authentication Failure Rate configuration locks the Router / Switch for a period of 15 seconds after the configured unsuccessful login attempts.

To configure Authentication Failure Rate as "3" and to enable logging, use "security authentication failure rate 3 log" command from the Global Configuration mode.

OmniSecuR1#configure terminal
OmniSecuR1(config)#security authentication failure rate 3 log
OmniSecuR1(config)#exit
OmniSecuR1#

Unicast Reverse Path Forwarding (RPF): Unicast Reverse Path Forwarding (RPF) is a feature which allows the router to check the source address of any packet against the interface through which the IP datagram packet arrived. For better security, enable Unicast Reverse Path Forwarding (RPF) on outside facing interfaces.

To enable Unicast Reverse Path Forwarding (RPF), use "ip verify unicast reverse-path 20" command from the Interface Configuration mode. "20" is the Standard ACL created before to match the route.

OmniSecuR1#configure terminal
OmniSecuR1(config)#interface fastEthernet 0/0
OmniSecuR1(config-if)#ip verify unicast reverse-path 20
OmniSecuR1(config-if)#exit
OmniSecuR1(config)#exit
OmniSecuR1#
Related Tutorials