Protecting routers - control interfaces


 

 

 

 

 

Introduction to this web page

This web page is about protecting the routers themselves from attack, rather than protecting networks and hosts behind the router.

This page is about configuring and protecting the various control interfaces that exist on a router.

 

The console port

Most ( or all ? ) routers have a console port to which a terminal can be attached. The console port is the only way to talk to a router before it has been configured to allow access through the other interfaces.

Here is a basic set up for the console port.


   router>                      enable
   router#                      config t
   router(config)#              line console 0
   router(config-line)#         login
   router(config-line)#         password password
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

There are some additional optional commands which can be used when configuring the console port.

 

  • The "exec-timeout" command allows us to specify a time-out period. To specify a time-out time in minutes, we use -

    
       router(config-line)#         exec-timeout minutes 
    
    

    To specify the time-out time in seconds, we use -

    
       router(config-line)#         exec-timeout 0 seconds
    
    

    If the "exec-timeout" command is not used, the default time-out is 10 minutes.

  •  

  • Another optional command is

    
       router(config-line)#         logging synchronous
    
    

    which stops pop-up messages from driving you nuts.

  •  

  • Another optional command is the "transport input" command. If we use this as -

    
       router(config-line)#         transport input none
    
    

    then this stops any kind of "active" communication into the console port ( such as reverse telnet ), but doesn`t stop a "passive" terminal being used.

  •  

  • Another thing we can do is to require that the console port is only accessible by specific named accounts. We can set up named accounts in IOS using the command line :-

    
       router(config)#              username name privilege 1 password password
    
    

    Then we change the control port configuration, by using the "login local" command. This requires that anyone trying to use the control port has to supply a username and a password, instead of just a password.

    
       router>                      enable
       router#                      config t
       router(config)#              line console 0
       router(config-line)#         login local
       router(config-line)#         exit
       router(config)#              exit
       router#                      disable
       router>
    
    

    Note that users should only be assigned privilege level 1, as any encryption used for the password is type 7, and so is relatively insecure.

    Using the "login local" command instead of the "login" command is only a way of tightening access to the console port. Enabled mode should still be protected by the "enable secret" command.

    Apart from the security improvement, using the "login local" command will result in log files showing the name of the user, as well as actions performed, so now there is a record of who did what, and not just of what was done.

 

We can now put all these together, and create a good level of security for the console port.


   router>                      enable
   router#                      config t
   router(config)#              line console 0
   router(config-line)#         transport input none
   router(config-line)#         login local
   router(config-line)#         exec-timeout 5 0
   router(config-line)#         logging synchronous
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

 

The aux port

Some ( ? ) routers have an auxillary port, which is an EIA/TIA-232 DTE port ( ie, an updated version of RS 232C ). It is used for asynchronous connections such as modems.

A basic configuration would be -


   router>                      enable
   router#                      config t
   router(config)#              line aux 0
   router(config-line)#         login
   router(config-line)#         password password
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

According to a small amount of Cisco documentation, we can also create an access list, and apply it to the aux port, using the access-class command. The access list has to be a numbered list.

As yet, I haven`t seen any documentation which says that we can use either a standard numbered list, or an extended numbered list. All the documentation I have seen just talks about standard numbered lists.


   router>                      enable
   router#                      config t
   router(config)#              access-list 50 permit 192.168.100.56
   router(config)#              line aux 0
   router(config-line)#         login
   router(config-line)#         password password
   router(config-line)#         access-class 50 in
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

We can also add the same options as the control port to tighten security, and make live more pleasant as well -

  • login local

  • transport input protocol

  • exec-timeout 5 0

  • logging synchronous

However there is a better approach :-

 

Disabling the aux port

Connecting a modem to the router via the aux port is a considerable security risk, and opens the the router up to a probable attack through the modem. If it is not absolutely essential that the router is accessed through a modem, the aux port should definitely be disabled by the following command lines.


   router>                      enable
   router#                      config t
   router(config)#              line aux 0
   router(config-line)#         transport input none
   router(config-line)#         login local
   router(config-line)#         exec-timeout 0 1
   router(config-line)#         no exec
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

 

The virtual terminal

Cisco routers allow remote hosts to communicate with the routers using Telnet or some other protocol, through one or more of the normal network interfaces. In other words, we can set up virtual terminals.

Most routers allow up to 5 concurrent telnet connections, although some larger Enterprise type of routers can allow much larger numbers - I think up to 198 concurrent connections.

Here is a basic configuration for vty lines numbered 0 up to 4.


   router>                      enable
   router#                      config t
   router(config)#              line vty 0 4
   router(config-line)#         login
   router(config-line)#         password password
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

This configuration is relatively insecure, there are options available which will increase the security of the vty line.

 

  • There is quite a lot of documentation which advises that we can use an access list to restrict access to the virtual terminals. Just as above, it must be a numbered list.

    There seems to be a difference between what Cisco say is the command to apply the access list, and what most 3rd parties say the command is. Cisco say the command is "access-class". Much of the 3rd party stuff I have read says the command is "ip access-class". So this is the way Cisco say :-

    
       router>                      enable
       router#                      config t
       router(config)#              no access list 50
       router(config)#              access-list 50 permit 192.168.100.56
       router(config)#              line vty 0 4
       router(config-line)#         login
       router(config-line)#         password password
       router(config-line)#         access-class 50 in
       router(config-line)#         exit
       router(config)#              exit
       router#                      disable
       router>
    
    
  •  

  • Another way we can restrict access via the virtual terminals is to restrict the protocol that is useable, through the "transport input" command. So to allow only Telnet, we add the line :-

    
       router(config-line)#         transport input telnet
    
    

    The allowable protocols ( in any combination ) are "lat / mop / nasi / pad / rlogin / ssh / telnet / v120"

    Also, we can use "all" or "none"

    According to Cisco, the word "telnet" here actually means all TCP/IP connections. Which implies that we ought to also be using an access list which only permits Telnet on TCP port 23, as well as restricting the ip source address.

  •  

  • As with the console port, we can use the "login local" command to force users to provide a user name as well as a password. The same comments as above apply about users, log files, and privilege levels.

    
       router(config-line)#         login local
    
    
  •  

  • We can limit idle time by the "exec-timeout", as with the console port.

    
       router(config-line)#         exec-timeout 5 0
    
    
  •  

  • A good practice is to bind the telnet service to the loopback interface. The loopback interface is described below. The binding is done with the "ip telnet source-interface" command, and means that the packets sent out from the vty line have the source address of the loopback interface.

    
       router(config-line)#         ip telnet source address loopback0
    
    

    There is a distinct advantage in using the loopback interface in this way, as the ip address of the loopback interface is not included in routing information available from outside the router, so is hidden from attackers.

    Another advantage of binding telnet to the loopback interface is that as long as any one network interface is up, and connected to a live network, then the vty lines can be used. There isn`t a dependency on one particular physical interface.

  •  

  • If the router has more than 5 vty terminal lines, we can limit this to 5 ( or whatever ) by the line "no line vty 5". This command line will remove all lines from number 5 upwards. It isn`t possible to remove the vty lines 0 to 4 by this method.

    
       router(config)#              no line vty 5
    
    
  •  

  • Cisco IOS supports reverse telnet as well as forward telnet. This means that if one router is compromised, other routers can be attacked via the compromised router, through the virtual terminals.

    This can be prevented by blocking outgoing connections by using the "transport output" command.

    
       router(config-line)#              transport output none
    
    

 

We can put all this together as follows :-


   router>                      enable
   router#                      config t
   router(config)#              ip telnet source-interface loopback0
   router(config)#              no access list 50
   router(config)#              access-list 50 permit 192.168.100.56
   router(config)#              no line vty 5
   router(config)#              line vty 0 4
   router(config-line)#         login local
   router(config-line)#         transport input telnet
   router(config-line)#         transport output none
   router(config-line)#         access-class 50 in
   router(config-line)#         exec-timeout 5 0
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

As with the aux port, if we don`t actually need remote access to the router, then we should definitely disable the vty lines. This can be done as follows -


   router>                      enable
   router#                      config t
   router(config)#              no access list 50
   router(config)#              access-list 50 deny any
   router(config)#              no line vty 5
   router(config)#              line vty 0 4
   router(config-line)#         login local
   router(config-line)#         transport input none
   router(config-line)#         transport output none
   router(config-line)#         access-class 50 in
   router(config-line)#         exec-timeout 0 1
   router)config-line)#         no exec
   router(config-line)#         exit
   router(config)#              exit
   router#                      disable
   router>

We can use this technique to disable access to vty lines 0 to 4, in any combination , leaving either none, or just a minimum, of vty lines enabled. The more lines that can be disabled, the better.

 

Encrypting line passwords

The above line passwords are shown in config scripts in clear text form. We can make IOS show clear text passwords in config scripts in an encrypted form by using the command


   router(config)#              service password-encryption

However this encryption is easily cracked. It will keep out a casual observer, but a determined cracker will get through it.

Note that this command will encrypt all passwords shown in config scripts, except those that are already encrypted.

 

The loopback interface

The loopback interface is a virtual interface that can be used as a sort of point of contact for accessing the router. It is a given an ip address, which must be on a subnet that no other interface on the router is connected to.

Services such as telnet can be bound to this virtual interface, which means that these services use the ip address of the loopback address as the source address for ip packets.

It is simple to set up, essentially all that is done is to give it an ip address.


   router>                       enable
   router#                       config t
   router(config)#               interface loopback0
   router(config-if)#            ip address 192.168.200.200 255.255.255.255
   router(config-if)#            exit
   router(config)#               exit
   router#                       disable
   router>

As noted above, the ip address of the loopback interface is not included in routing information available from outside the router, so is hidden from attackers.

Again, as noted above, the loopback interface must be on a subnet that no other interface on the router is connected to. However it is permissible to use a subnet from which ip addresses have been assigned to loopback interfaces on other routers. This means that that the ip addressing scheme of an enterprise can include a subnet which is used by all the routers in the enterprise for their loopback interfaces.

Another use of loopback interfaces is in setting routers id`s, as used inside some routing protocols such as OSPF.

 


© 2005 Ron Turner


Return to the Cisco index page