Securing a Cisco router

This tip, courtesy of SearchNetworking.com, emphasizes the importance of using multiple simple layers of protection to protect your customer's network from exploits. Networking consultants and value-added resellers (VARs) can use this advice to learn best practices for securing a Cisco router.

In August, 2005, researcher Michael Lynn disclosed the exploitation of a Cisco IOS vulnerability at the Black Hat conference in Las Vegas This incident reminded us that network infrastructure is critical to our country and our businesses, and poor router security could have catastrophic consequences. It also shows the vulnerability in a trend I've been predicting for years: running more applications on routers and switches.

You may or may not realize that unless you've disabled it (and depending on what version of IOS), your Cisco router (and most others) is running a Web server, an FTP server, a TFTP server, a telnet server, and a raft of others, plus listening for network protocol advertisements like OSPF "Hellos" or Spanning Tree's BPDUs. And Cisco's spiffy new AON stuff will be placing an unprecedented number of applications on the router.

What all this means of course, is that there are more lines of code running on the router to exploit, so it's more important than ever to secure your router. As the article states, imagine the consequences of a worm exploiting a bug to infect all your routers!

Something you might not have considered though, is the consequence of multi-function devices in your network architecture. For example, if you use a Cisco 6509 as a router/switch, and install a Firewall Services Module (FWSM) and configure the different zones as different VLANs on the 6509, then it's critical that you understand this: no matter how great the Adaptive Security Algorithm in the PIX/FWSM is, if somebody exploits a bug in the router to gain access to the exec prompt, they can route themselves around the firewall, bypassing all your protection entirely.

So the best way to protect yourself has always been to use multiple simple layers of protection:

1. Keep up with Cisco's bug and patch releases and update your routers' Software as soon as possible.
   
   
2. Don't forget to update the firmware too.
   
   
3. Use Access-Control Lists to block all traffic to the router or switch console except for administrative access from a specific IP address.
   
   
4. Restrict SNMP access to specific IP addresses.
   
   
5. Turn off any unnecessary processes and protocols on your routers and switches.
   
   
6. Place intrusion detrection systems (IDS) at strategic locations in your network.
   
   
7. Perform regular health checking to make sure the config hasn't changed since the last time YOU changed it, and check the logs regularly.

About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years of experience in the networking industry. He is co-author of several books on networking, most recently, CCSP: Secure PIX and Secure VPN Study Guide, published by Sybex.

This tip originally appeared on SearchNetworking.com.

Rate this Tip To rate tips, you must be a member of SearchNetworkingChannel.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Network documentation: Top five tips for resellers and consultants PIX firewall troubleshooting with ASDM Security authentication: Strategy to implementation Network recovery: After the security breach Network access controlled with 802.1x Planning the network: The big picture Fortifying router security Routing and Switching Channel Explained: Data center design for networking VARs Router and switch upgrades: Five reasons your customer should invest Cisco router configuration security checklist How to troubleshoot five common routing errors Open source router operation considerations How to choose the best router for your customer Network Security Networking resellers need new skills for physical security convergence Partners to see stimulus package benefits, but not without challenges Channel Chat: Can there be true White House mobile device security? Daemonlogger for packet capture and redirection Network security monitoring: Know your network Cisco Security Device Manager Overview Configuring privilege levels Password-protecting a router CCNA Security - Defending the perimeter Cisco CCNA Security certification Q&A RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.