Router Security and Cisco IOS Management

Security Threats and Router Vulnerabilities

Routers as Strategic Targets: Because routers serve as gateways between networks, they are primary targets for attackers. Compromising a router can lead to several severe consequences:
- Access Control Compromise: This exposes network configuration details, facilitating further attacks against other internal network components.
- Routing Table Compromise: Attackers can reduce overall network performance, deny communication services (DoS), and expose sensitive data by rerouting it through malicious nodes.
- Traffic Filter Misconfiguration: Incorrectly configured filters can expose internal devices to scans and attacks, allowing attackers to remain undetected.
Common Attack Vectors: Attackers utilize several methods to compromise routers, including:
- Trust exploitation attacks.
- IP spoofing.
- Session hijacking.
- Man-in-the-Middle ( $MITM$ ) attacks.
Switch Security: While the focus is on routers, most best practices (such as hardening and password management) apply equally to securing switches.

Fundamental Router Security Practices

Physical Security:
- Routers must be located in a locked room accessible only to authorized personnel.
- To mitigate Denial of Service ( $DoS$ ) risks stemming from power failures, routers should be connected to an Uninterruptible Power Supply ( $UPS$ ).
Cisco IOS Updates:
- Administrators should update the IOS whenever advisable, though the latest version is not always the most stable.
- The best practice is to use the "latest stable release" that fulfills the specific feature requirements of the network.
Backup Procedures: Always maintain secure copies of the router image ( $IOS$ ) and the configuration file on a $TFTP$ (Trivial File Transfer Protocol) server.
Router Hardening: This involves eliminating potential abuse by disabling unnecessary services and unused ports that are enabled by default on factory settings.

Managing Router Passwords and Encryption

General Password Best Practices:
- Never write passwords down or leave them in visible locations (desks, monitors).
- Avoid dictionary words, names, phone numbers, or dates.
- Complexity: Combine at least one lowercase letter, one uppercase letter, one digit, and one special symbol.
- Length: A minimum of $8$ characters is recommended.
- Deliberate Misspelling: Example: Change "Security" to " $5ecur1ty$ ".
- Frequency: Change passwords as often as possible to limit the window of exposure if a password is cracked.
- Passphrases: Using a full sentence or phrase is a highly recommended method for creating complex, secure passwords.
Cisco IOS Password Encryption Schemes:
- Plain Text: By default, Cisco IOS leaves passwords in plain text in the configuration. The command R1(config)# username Student password cisco123 shows a password with a " $0$ " in the running config, indicating it is unhidden.
- Type 7 Encryption (Simple): Uses a weak algorithm to hide passwords from "shoulder surfing." Enabled via the global command $service password-encryption$ . It applies to $enable password$ , $line$ passwords, $vty$ , $console$ , and $aux$ ports.
- Type 5 Encryption (Highly Secure): Uses an $MD5$ hash. The command $enable secret$ implements this. The router prioritize the $secret$ over the $enable password$ . For local databases, use: $username [name] secret [password]$ . This appears as a " $5$ " in the configuration.
Minimum Password Length: Since Cisco IOS Release $12.3(1)$ , the $security passwords min-length [length]$ command can be used to prevent the use of common short passwords (e.g., "lab" or "cisco"). It only affects passwords created after the command is issued.

Securing Remote Administrative Access

Access Methods:
- Local Access: Connecting via the console port is the most secure but becomes unmanageable as network size increases.
- Remote Access: Convenient but risky. $Telnet$ (TCP port $23$ ) is insecure because matches everything in clear text.
Protection Strategies:
- Establish a dedicated management network (e.g., a specific Management $VLAN$ or physical network).
- Encrypt all traffic between the admin computer and the router.
Controlling VTY Lines:
- Restrict incoming protocols using the $transport input$ command. For example, $transport input ssh$ only allows Secure Shell.
- Preventing VTY DoS: Routers usually have five VTY lines. An attacker can occupy all lines at the login prompt to block administrators.
- Mitigation 1: Apply Access Control Lists ( $ACLs$ ) using $ip access-class$ on the last VTY line to restrict it to a specific workstation IP.
- Mitigation 2: Configure VTY timeouts using $exec-timeout [minutes] [seconds]$ to clear idle sessions.
- Mitigation 3: Enable TCP keepalives using $service tcp-keepalives-in$ to clear orphaned sessions from crashes.

SSH (Secure Shell) Configuration

Requirements: SSH replaces Telnet, utilizing TCP port $22$ for privacy and integrity. It requires a "cryptographic" IOS image.
Configuration Steps:
1. Set Hostname: $hostname [name]$ .
2. Set Domain Name: $ip domain-name cisco.com$ .
3. Generate Asymmetric Keys: Use $crypto key generate rsa$ . Cisco recommends a minimum modulus length of $1024$ .
4. Local Authentication: Define a local user and assign SSH to VTY lines.
5. Set Timeouts (Optional): $ip ssh timeout 15$ sets the timeout to $15$ seconds. $ip ssh authentication-retries 2$ limits failed attempts.
Client Access: Requires applications like PuTTY or TeraTerm choosing the SSH option on port $22$ .

Logging Router Activity

Logging Levels: Cisco routers support $8$ levels of logging:
- $0$ : Emergencies (system unstable).
- $1$ : Alerts.
- $2$ : Critical.
- $3$ : Errors.
- $4$ : Warnings.
- $5$ : Notifications.
- $6$ : Informational.
- $7$ : Debugging.
Storage: Logs can be saved in router memory or forwarded to a central Syslog Server (e.g., Kiwi Syslog Daemon).
Time Stamps: Critical for accurate log review. Configured via $service timestamps log$ and $service timestamps debug$ .

Disabling Vulnerable Services and Interfaces

Services to Disable:
- Cisco Discovery Protocol (CDP): Use $no cdp run$ . (Exception: CDP is often needed for IP Phones).
- Source Routing: $no ip source-route$ .
- Classless Routing: $no ip classless$ .
- Small Servers: $no service tcp-small-servers$ and $no service udp-small-servers$ (covers echo, discard, chargen).
- Finger: $no service finger$ .
- BOOTP: $no ip bootp server$ .
- HTTP: $no ip http server$ .
- Remote Configuration: $no service config$ .
- SNMP: Use $no snmp-server$ . Versions prior to $v3$ send data in plain text.
Interface Hardening:
- Unused interfaces: Use the $shutdown$ command.
- Ad hoc routing: $no ip proxy-arp$ .
- SMURF Attack Prevention: $no ip directed-broadcast$ .
DNS Security: By default, IOS sends name queries to the broadcast address $255.255.255.255$ . If not using a name server, disable it with $no ip domain-lookup$ . If using one, specify it with $ip name-server [addresses]$ .

Securing Routing Protocols

Attack Types:
1. Disruption of Peers: Less critical as protocols auto-heal.
2. Falsification of Routing Information: High risk. Can cause routing loops, redirect traffic to insecure links for monitoring, or discard traffic (blackholing).
Solution: MD5 Authentication: Routers compare signatures produced by an encryption algorithm, a secret shared key, and the packet contents. Supported by $RIPv2$ , $EIGRP$ , $OSPF$ , $IS-IS$ , and $BGP$ .
RIPv2 Security Steps:
- Step 1: Prevent Propagation: Use $passive-interface default$ to stop updates on all ports, then $no passive-interface [interface]$ to enable only required ports.
- Step 2: MD5 Setup: Create a $key chain$ , define a $key$ number and $key-string$ , and apply to the interface.
- Step 3: Verification: Use $show ip route$ to confirm authentication and route acquisition.
EIGRP/OSPF Authentication:
- EIGRP: Requires a key chain and MD5 enablement on the interface.
- OSPF: Configure the MD5 key and enable authentication directly on the interface.

Cisco AutoSecure

Overview: A single command ( $auto secure$ ) to disable non-essential processes and services.
Modes:
- Interactive (Default): Prompts user for options regarding banners, passwords, SSH, and firewall features.
- Non-interactive: Uses recommended Cisco defaults instantly. Command: $auto secure no-interact$ .
Scope: Can be applied to $management$ or $forwarding$ planes.

Cisco IOS Software Management

Updates vs. Upgrades:
- Updates: Fix bugs, same feature set, typically free.
- Upgrades: Add new features/technologies, change versions, not free.
Migration Process (4 Phases):
1. Plan: Set goals, profile hardware, identify resources.
2. Design: Select the specific IOS release.
3. Implement: Schedule and execute migration.
4. Operate: Monitor progress and maintain backups.
Online Tools:
- Public Access: Cisco IOS Reference Guide, Technical Documents, Cisco Feature Navigator.
- Login Required: Bug Toolkit, Software Advisor, IOS Upgrade Planner.

Cisco IOS Integrated File System (IFS)

Command: $show file systems$ lists available directories, free memory, and permissions (ro, wo, rw).
Key Directories:
- Flash: Marked with an asterisk ( $*$ ) as default; a pound sign (#) indicates it is bootable. Stores the current IOS.
- NVRAM: Stores the $startup-config$ . Access via $cd nvram:$ .
URL Prefix Notation: Cisco uses a format similar to web URLs: $protocol://location/directory/filename$ (e.g., $tftp://192.168.20.254/configs/backup-configs$ ).

Cisco IOS File Naming Conventions

Example file: $c1841-ipbase-mz.12.3-14.T7.bin$

$c1841$ : Platform (Cisco 1841).
$ipbase$ : Feature set. Others involve $i$ (IP only), $j$ (Enterprise/All), $s$ (Plus), $56i$ ( $56$ -bit IPsec), $3$ (Firewall/IDS), $k2$ ( $168$ -bit 3DES).
$mz$ : Execution location and compression (RAM-based, compressed).
$12.3-14.T7$ : The version number.
$bin$ : Binary executable extension.

Backup and Recovery of IOS Images

Using TFTP to Backup:
1. Ping the server to verify access.
2. Verify disk space using $show flash:$ .
3. Command: $copy flash: tftp:$ . Exclamation points ( $!$ ) signify successful transfer of individual UDP segments.
Using TFTP to Upgrade:
- Command: $copy tftp: flash:$ .
- Note: It may prompt to erase flash if space is insufficient.
Resilient Configuration: On platforms supporting $PCMCIA$ $ATA$ disks, this feature secures a working copy of the image and config to withstand malicious erasures of flash/NVRAM.
Disaster Recovery (tftpdnld): Used when IOS is deleted and the router is in ROMmon mode.
1. Connect PC to console and TFTP server to the first Ethernet port.
2. Set ROMmon environment variables (case sensitive, no spaces around " $=$ ").
3. Execute $tftpdnld$ and confirm with " $y$ ".
4. Reload using the $reset$ command.
Disaster Recovery (xmodem): Extremely slow; uses the console cable. Command: $xmodem [-cyr] [filename]$ .
- Speed can be improved by changing connection to $115000 \text{ b/s}$ from the default $9600 \text{ b/s}$ .

Troubleshooting and Password Recovery

Command Types:
- $show$ : Displays static info for fact-gathering. Use $show ?$ for options.
- $debug$ : Displays dynamic events. High priority in CPU queue; should be used during quiet hours. Disable with $no debug all$ .
Helper Commands:
- $terminal monitor$ : Required to see debug output during a Telnet/SSH session.
- $show processes$ : Used to check CPU utilization before running debugs.
Password Recovery Procedure:
1. Identify configuration register (usually $0 \times 2102$ ).
2. Power cycle and press Break to enter ROMmon.
3. Change register to $0 \times 2142$ using $confreg 0x2142$ to bypass startup config.
4. $reset$ the router.
5. Once in Privilege EXEC, $copy startup-config running-config$ (Critical: do NOT reverse this copy or you lose the config).
6. Change passwords/secrets and perform $no shutdown$ on interfaces.
7. Restore register: $config-register 0x2102$ .
8. $copy running-config startup-config$ to save changes.