|
Protecting routers - control interfaces
Introduction to this web pageThis web page is about protecting the routers themselves from attack, rather than protecting networks and hosts behind the router. This page is about configuring and protecting the various control interfaces that exist on a router.
The console portMost ( or all ? ) routers have a console port to which a terminal can be attached. The console port is the only way to talk to a router before it has been configured to allow access through the other interfaces. Here is a basic set up for the console port. router> enable router# config t router(config)# line console 0 router(config-line)# login router(config-line)# password password router(config-line)# exit router(config)# exit router# disable router> There are some additional optional commands which can be used when configuring the console port.
We can now put all these together, and create a good level of security for the console port. router> enable router# config t router(config)# line console 0 router(config-line)# transport input none router(config-line)# login local router(config-line)# exec-timeout 5 0 router(config-line)# logging synchronous router(config-line)# exit router(config)# exit router# disable router>
The aux portSome ( ? ) routers have an auxillary port, which is an EIA/TIA-232 DTE port ( ie, an updated version of RS 232C ). It is used for asynchronous connections such as modems. A basic configuration would be - router> enable router# config t router(config)# line aux 0 router(config-line)# login router(config-line)# password password router(config-line)# exit router(config)# exit router# disable router> According to a small amount of Cisco documentation, we can also create an access list, and apply it to the aux port, using the access-class command. The access list has to be a numbered list. As yet, I haven`t seen any documentation which says that we can use either a standard numbered list, or an extended numbered list. All the documentation I have seen just talks about standard numbered lists. router> enable router# config t router(config)# access-list 50 permit 192.168.100.56 router(config)# line aux 0 router(config-line)# login router(config-line)# password password router(config-line)# access-class 50 in router(config-line)# exit router(config)# exit router# disable router> We can also add the same options as the control port to tighten security, and make live more pleasant as well -
However there is a better approach :-
Disabling the aux portConnecting a modem to the router via the aux port is a considerable security risk, and opens the the router up to a probable attack through the modem. If it is not absolutely essential that the router is accessed through a modem, the aux port should definitely be disabled by the following command lines. router> enable router# config t router(config)# line aux 0 router(config-line)# transport input none router(config-line)# login local router(config-line)# exec-timeout 0 1 router(config-line)# no exec router(config-line)# exit router(config)# exit router# disable router>
The virtual terminalCisco routers allow remote hosts to communicate with the routers using Telnet or some other protocol, through one or more of the normal network interfaces. In other words, we can set up virtual terminals. Most routers allow up to 5 concurrent telnet connections, although some larger Enterprise type of routers can allow much larger numbers - I think up to 198 concurrent connections. Here is a basic configuration for vty lines numbered 0 up to 4. router> enable router# config t router(config)# line vty 0 4 router(config-line)# login router(config-line)# password password router(config-line)# exit router(config)# exit router# disable router> This configuration is relatively insecure, there are options available which will increase the security of the vty line.
We can put all this together as follows :- router> enable router# config t router(config)# ip telnet source-interface loopback0 router(config)# no access list 50 router(config)# access-list 50 permit 192.168.100.56 router(config)# no line vty 5 router(config)# line vty 0 4 router(config-line)# login local router(config-line)# transport input telnet router(config-line)# transport output none router(config-line)# access-class 50 in router(config-line)# exec-timeout 5 0 router(config-line)# exit router(config)# exit router# disable router> As with the aux port, if we don`t actually need remote access to the router, then we should definitely disable the vty lines. This can be done as follows - router> enable router# config t router(config)# no access list 50 router(config)# access-list 50 deny any router(config)# no line vty 5 router(config)# line vty 0 4 router(config-line)# login local router(config-line)# transport input none router(config-line)# transport output none router(config-line)# access-class 50 in router(config-line)# exec-timeout 0 1 router)config-line)# no exec router(config-line)# exit router(config)# exit router# disable router> We can use this technique to disable access to vty lines 0 to 4, in any combination , leaving either none, or just a minimum, of vty lines enabled. The more lines that can be disabled, the better.
Encrypting line passwordsThe above line passwords are shown in config scripts in clear text form. We can make IOS show clear text passwords in config scripts in an encrypted form by using the command router(config)# service password-encryption However this encryption is easily cracked. It will keep out a casual observer, but a determined cracker will get through it. Note that this command will encrypt all passwords shown in config scripts, except those that are already encrypted.
The loopback interfaceThe loopback interface is a virtual interface that can be used as a sort of point of contact for accessing the router. It is a given an ip address, which must be on a subnet that no other interface on the router is connected to. Services such as telnet can be bound to this virtual interface, which means that these services use the ip address of the loopback address as the source address for ip packets. It is simple to set up, essentially all that is done is to give it an ip address. router> enable router# config t router(config)# interface loopback0 router(config-if)# ip address 192.168.200.200 255.255.255.255 router(config-if)# exit router(config)# exit router# disable router> As noted above, the ip address of the loopback interface is not included in routing information available from outside the router, so is hidden from attackers. Again, as noted above, the loopback interface must be on a subnet that no other interface on the router is connected to. However it is permissible to use a subnet from which ip addresses have been assigned to loopback interfaces on other routers. This means that that the ip addressing scheme of an enterprise can include a subnet which is used by all the routers in the enterprise for their loopback interfaces. Another use of loopback interfaces is in setting routers id`s, as used inside some routing protocols such as OSPF.
© 2005 Ron Turner Return to the Cisco index page
|
|