Router Security Configuration Guide

Routers are used to route traffic between different networks based on Layer 3 IP addresses and provide
access to network segment and subnetworks. So said, that makes routers the definite targets for
network attackers. When the border router of an organizations network is compromised or gained
access to, unauthorized, it poses a potential threat to its sensitive information and other network
services and resources.

Routers can be compromised in many ways, (Trust exploitation and MITM attacks) and this exposes the
internal network configuration or components to scans and attacks.

Two primary roles router plays in a network

Advertise networks and filter (permit/deny) who can use them.

Provide access to network segments and subnetworks

Quick Review of Attacks on Routers

General threats include but are not limited to: unauthorized access, session hijacking, rerouting,
masquerading, Denial of Service (DoS), eavesdropping, and information theft. In addition to threats to a
router from the network, dial up access to a router exposes it to further threats.

Attack techniques include: password guessing, routing protocol attacks, SNMP attacks, IP fragmentation
attacks to bypass filtering, redirect (address) attacks, and circular redirect for denial of service.

Session replay attacks use a sequence of packets or application commands that can be recorded,
possibly manipulated, and then replayed to cause an unauthorized action or gain access.

Rerouting attacks can include manipulating router updates to cause traffic to flow to unauthorized
destinations. These kinds of attacks are sometimes called route injection attacks.

Masquerade attacks occur when an attacker manipulates IP packets to falsify IP addresses.

Masquerades can be used to gain unauthorized access or to inject bogus data into a network.

Session hijacking may occur if an attacker can insert falsified IP packets after session establishment via IP
spoofing, sequence number prediction and alteration, or other methods.

Resource starvation attacks usually involve flooding the router with traffic or requests designed to
consume all of some limited resource. Target resources may be bandwidth, memory, or even
computation.

Careful router configuration can help prevent a (compromised) site from being used as part of a
Distributed Denial of Service (DDoS) attack, by blocking spoofed source addresses. DDoS attacks use a
number of compromised sites to flood a target site with sufficient traffic or service requests to render it
useless to legitimate users.
 Router Security Configuration Guide

Services to Block Completely at a Border Router

Port (Transport) Service
1 (TCP & UDP) tcpmux
7 (TCP & UDP) echo
9 (TCP & UDP) discard
11 (TCP) systat
13 (TCP & UDP) daytime
15 (TCP) netstat
19 (TCP & UDP) chargen
37 (TCP & UDP) time
43 (TCP) whois
67 (UDP) bootp
69 (UDP) Tftp
95 (TCP & UDP) supdup
111 (TCP & UDP) sunrpc
135 (TCP & UDP) loc-srv
137 (TCP & UDP) netbios-ns
138 (TCP & UDP) netbios-dgm
139 (TCP & UDP) netbios-ssn
177 (UDP) xdmcp
445 (TCP) netbios (ds)
512 (TCP) rexec
515 (TCP) lpr
517 (UDP) talk
518 (UDP) ntalk
540 (TCP) uucp
1434 (UDP) Microsoft SQL Server
1900, 5000 (TCP & UDP) Microsoft UPnP SSDP
2049 (UDP) NFS
6000 - 6063 (TCP) X Window System
6667 (TCP) IRC
12345-6 (TCP) NetBus
31337 (TCP & UDP) Back Orifice

Control Access to your Router

The first thing to do is apply some rules to restrict all external access to some ports of the router. You
can block all ports, but it is not always necessary. These commands below will protect your router
against some reconnaissance attacks and, obviously, will restrict access to these ports:

access-list 110 deny tcp any host $yourRouterIP eq 7

access-list 110 deny tcp any host $yourRouterIP eq 9
access-list 110 deny tcp any host $yourRouterIP eq 13
 Router Security Configuration Guide

access-list 110 deny tcp any host $yourRouterIP eq 19

access-list 110 deny tcp any host $yourRouterIP eq 23
access-list 110 deny tcp any host $yourRouterIP eq 79

int x0/0
access-group in 110

Where $yourRouterIP is your router IP and x0/0 is your external interface. We will always use this
convention in this article.

Restrict telnet access to it

Telnet is not a very safe protocol to use, but if you really need to use it (you should always use ssh) you
might want to restrict all access to it (remember that all your traffic will be unencrypted). The best way
to accomplish that is using a standard access-list and the access-class command.

access-list 50 permit 192.168.1.1

access-list 50 deny any log
line vty 0 4
access-class 50 in
exec-timeout 5 0

Where 192.168.1.1 is the IP address allowed to telnet the router

Block Spoof/Malicious packets

You must never allow loopback/reserved IP address from the Internet reach your external interface and
you can reject broadcast and multicast addresses too.

access-list 111 deny ip 127.0.0.0 0.255.255.255 any

access-list 111 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip 224.0.0.0 31.255.255.255 any
access-list 111 deny icmp any any redirect

int x0/0
access-group in 111
 Router Security Configuration Guide

Restrict SNMP
SNMP must always be restricting, unless you want some malicious person getting a lot of information
from your network.

access-list 112 deny udp any any eq snmp

access-list 112 permit ip any any

interface x0/0
access-group 112 in

And if you are not going to use SNMP at all, disable it:

no snmp-server

Encrypt all passwords

A very important thing to do is protect all your passwords using the powerful algorithm as possible.

The password from exec mode, that grants privileged access to the IOS system, Can be set using a MD5
hash, which is the strongest option available on the Cisco IOS.

enable secret $yourpassword

All other passwords, you can encrypt using the Vigenere cipher that is not Very strong, but can help. To
do that, you can use the service password-encryption Command that encrypts all passwords present in
you system.

service password-encryption

Disable all unused services

a. Disable Echo, Chargen and discard

no service tcp-small-servers
no service udp-small-servers

b. Disable finger

no service finger

c. Disable the httpd interface

no ip http server

d. Disable ntp (if you are not using it)

ntp disable
 Router Security Configuration Guide

Add some security options

a. Disable source routing

no ip source-route

b. Disable Proxy Arp

no ip proxy-arp

c. Disable ICMP redirects

interface s0/0 (your external interface)

no ip redirects

d. Disable Multicast route Caching

interface s0/0 (your external interface)

no ip mroute-cache

e. Disable CDP

no cdp run

f. Disable direct broadcast (protect against Smurf attacks)

no ip directed-broadcast

Log everything
To finish, you must log everything on an outside Log Server. You must everything from all your systems
and always analyze the logs.

logging trap debugging

logging 192.168.1.10

where 192.168.1.10 is the ip of your log server (configured as a Syslog server)

Conclusion
With these simple steps you can add a lot of security to your router, protecting it against a lot of
possible attacks, increasing your network security.

Only as an example, you can see the nmap result before and after applying these options:
 Router Security Configuration Guide

Before:

bash-2.05b# nmap -O 192.168.1.1

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Interesting ports on (192.168.1.1):

Port State Service

7/tcp open echo
9/tcp open discard
13/tcp open daytime
19/tcp open chargen
23/tcp open telnet
79/tcp open finger
80/tcp open http

Remote OS guesses: AS5200, Cisco 2501/5260/5300 terminal server IOS 11.3.6(T1),

Cisco IOS 11.3 - 12.0(11)

After:

bash-2.05b# nmap -P0 -O 192.168.1.1

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed
TCP port

All 1601 scanned ports on (192.168.1.1) are: filtered

Too many fingerprints match this host for me to give an accurate OS guess

Nmap run completed -- 1 IP address (1 host up) scanned in 403 seconds

There are substantial security resources available from router vendors. For example, Cisco offers
extensive on-line documentation and printed books about the security features supported by their
products. These books and papers are valuable, but they are not sufficient. Most vendor-supplied router
security documents are focused on documenting all of the security features offered by the router, and
do not always supply security rationale for selecting and applying those features. This guide attempts to
provide security rationale and concrete security direction, with pertinent references at the end of each
section identifying the most useful vendor documentation. This guide also provides pointers to related
books, vendor documents, standards, and available software.