Auto Secure Command on Cisco Routers – Part 1

AutoSecure is a simple security configuration process that disables nonessential system services and enables a basic set of recommended security policies to ensure secure networking services. AutoSecure disables certain features that are enabled by default that could be exploited for security holes.

Benefits of AutoSecure

Simplified Switch Security Configuration

AutoSecure works in either of two modes-

Interactive mode—Prompts with options to enable and disable services and other security features, suggesting a default setting for each option.

Non-interactive mode—automatically executes the recommended Cisco default settings.

Enhanced Password Security

Automatically sets security passwords min-length to 6.

Syslog message to be generated after the number of unsuccessful login attempts exceeds the configured threshold using security authentication failure rate command. Default is 3 unsuccessful attempts.

System Logging Message Support

System logging messages capture any subsequent changes to the AutoSecure configuration that are applied on the running configuration. As a result, a more detailed audit trail is provided when AutoSecure is executed.

Securing Management Plane

Securing the management plane is done by turning off certain global and interface services that can be potentially exploited for security attacks and turning on global services that help minimize the threat of attacks.

Disable the following global services.

  • Finger
  • PAD
  • Small Servers
  • Bootp
  • HTTP service
  • Identification Service
  • CDP
  • NTP
  • Source Routing

Enables the following Global Services

  • Password-encryption service
  • Tuning of scheduler interval/allocation
  • TCP synwait-time
  • TCP-keepalives-in and tcp-kepalives-out
  • SPD configuration
  • No ip unreachables for null 0

Disable the following per-interface services.

  • ICMP
  • Proxy-Arp
  • Directed Broadcast
  • Disables MOP service
  • Disables icmp unreachables
  • Disables icmp mask reply messages.

Secures Access to the Switch

  • If a text banner does not exist, you will be prompted to add a banner as below-

————————————————————————————————————-

Authorized Access only

This system is the property of So-&-So-Enterprise.

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

You must have explicit permission to access this

device. All activities performed on this device

are logged. Any violations of access policy will result

in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:

————————————————————————————————————-

  • transport output command will be configured on console and AUX lines. transport input telnet command will be configured on VTY lines. exec-timeout value will be set to 5 minutes.
  • If image on the device is a crypto image, then AutoSecure enables SSH and secure copy (SCP) for access and file transfer to and from the switch.
  • For SNMP – In interactive mode, the user is asked whether to disable SNMP regardless of the values of the community strings & In non-interactive mode, SNMP will be disabled if the community string is public or private.
  • if AAA is not configured, AutoSecure configures local AAA. AutoSecure will prompt the user to configure a local username and password.

Enhances Logging for Security

AutoSecure provides the following logging options

  • Sequence numbers and time stamps for all debug and log messages.
  • Logging messages for login-related events.
  • The logging console critical command, which sends system logging (syslog) messages to all available TTY lines and limits messages based on severity.
  • The logging buffered command, which copies logging messages to an internal buffer and limits messages logged to the buffer based on severity.
  • The logging trap debugging command, which allows all commands with a severity higher than debugging to be sent to the logging server.

Securing forwarding Plane

AutoSecure provides the following functions:

  • AutoSecure enables CEF or distributed CEF (dCEF) on the switch whenever possible. CEF consumes more memory than a traditional cache.
  • If strict Unicast Reverse Path Forwarding (uRPF) is available, it can be configured on the switch to help mitigate problems that are caused by spoofed IP source addresses.

AutoSecure will enable hardware rate-limiting of the following types of traffic without prompting the user.

  • IP errors
  • RPF failures
  • ICMP no-route messages
  • ICMP acl-drop messages
  • IPv4 multicast FIB miss messages
  • IPv4 multicast partially switch flow messages

AutoSecure will provide the option for hardware rate-limiting of the following types of traffic:

  • ICMP redirects
  • TTL failures
  • MTU failures
  • IP unicast options
  • IP multicast options
  • Ingress and egress ACL bridged packets

In next post we will see configuration output of this command and what every command does on switches/routers.

#DV

Advertisements

One thought on “Auto Secure Command on Cisco Routers – Part 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s