Chapter 2 Securing Network Devices

Introduction
Device hardening involves implementing proven methods for physically securing the router and protecting the router's administrative access using the Cisco IOS command-line interface (CLI) as well as the Cisco Router and Security Device Manager (SDM). Some of these methods involve: Securing administrative access, including maintaining passwords, configuring enhanced virtual login features, and implementing Secure Shell (SSH). Defining administrative roles in terms of access is another important aspect of securing infrastructure devices. Securing the management and reporting features of Cisco IOS devices is also important. Recommended practices for securing syslog, using Simple Network Management Protocol (SNMP), and configuring Network Time Protocol (NTP) are examined.

If an attacker gains access to a router, the security and management of the entire network can be compromised, leaving servers and endpoints at risk. It is critical that the appropriate security policies and controls be implemented to prevent unauthorized access to all infrastructure devices.

Securing Edge router

The edge router is the last router between the internal network and an untrusted network such as the Internet. All of an organization's Internet traffic goes through this edge router The edge router implementation varies depending on the size of the organization and the complexity of the required network design. Router implementations can include a single router protecting an entire inside network or a router as the first line of defense in a defense-in-depth approach.

Single Router Approach

In the single router approach, a single router connects the protected network, or internal LAN, to the Internet. All security policies are configured on this device.

More commonly deployed in smaller site implementations such as branch and SOHO sites. In smaller networks, the required security features can be supported by ISRs without impeding the router's performance capabilities.

Defense-in-Depth Approach
The edge router acts as the first line of defense and is known as a screening router. It passes all connections that are intended for the internal LAN to the firewall. The second line of defense is the firewall. The firewall typically picks up where the edge router leaves off and performs additional filtering. It provides additional access control by tracking the state of the connections and acts as a checkpoint device.

The edge router has a set of rules specifying which traffic it allows and denies. By default, the firewall denies the initiation of connections from the outside (untrusted) networks to the inside (trusted) network. However, it allows the internal users to establish connections to the untrusted networks and permits the responses to come back through the firewall. It can also perform user authentication (authentication proxy) where users must be authenticated to gain access to network resources.

DMZ Approach
The DMZ can be used for servers that must be accessible from the Internet or some other external network. The DMZ can be set up between two routers, with an internal router connecting to the protected network and an external router connecting to the unprotected network, or simply be an additional port off of a single router.

The firewall, located between the protected and unprotected networks, is set up to permit the required connections (for example, HTTP) from the outside (untrusted) networks to the public servers in the DMZ. In the DMZ approach, the router provides some protection by filtering some traffic, but leaves the bulk of the protection to the firewall.

Securing the edge router is a critical first step in securing the network. If there are other internal routers, they must be securely configured as well. Three areas of router security must be maintained. Physical Security - Place the router and physical devices that connect to it in a secure locked room - Free of electrostatic or magnetic interference, has fire suppression, and has controls for temperature and humidity. - Install an uninterruptible power supply (UPS).This reduces the possibility of a DoS attack from power loss to the building. Operating System Security Configure the router with the maximum amount of memory possible. The availability of memory can help protect the network from some DoS attacks, while supporting the widest range of security services. Use the latest stable version of the operating system that meets the feature requirements of the network. Security features in an operating system evolve over time. Keep a secure copy of the router operating system image and router configuration file as a backup. Router Hardening - Ensure that only authorized personnel have access and that their level of access is controlled.

Disable unused ports and interfaces. Reduce the number of ways a device can be accessed. Disable unnecessary services.

Securing administrative access to an infrastructure device:

Restrict device accessibility - Limit the accessible ports, restrict the permitted communicators, and restrict the permitted methods of access. Log and account for all access - For auditing purposes, record anyone who accesses a device, including what occurs and when. Authenticate access - Ensure that access is granted only to authenticated users, groups, and services. Limit the number of failed login attempts and the time between logins. Authorize actions - Restrict the actions and views permitted by any particular user, group, or service. Present Legal Notification - Display a legal notice, developed in conjunction with company legal counsel, for interactive sessions. (Banner) Ensure the confidentiality of data - Protect locally stored sensitive data from viewing and copying. Consider the vulnerability of data in transit over a communication channel to sniffing, session hijacking, and man-in-the-middle (MITM) attacks.

There are two ways to access a device for administrative purposes, locally and remotely. Some network devices can be accessed remotely. Remote access typically involves allowing Telnet, Secure Shell (SSH), HTTP, HTTPS, or Simple Network Management Protocol (SNMP) connections to the router from a computer. When accessing the network remotely, a few precautions should be taken: Encrypt all traffic between the administrator computer and the router. For example, instead of using Telnet, use SSH. Or instead of using HTTP, use HTTPS.

Establish a dedicated management network. The management network should include only identified administration hosts and connections to a dedicated interface on the router. Configure a packet filter to allow only the identified administration hosts and preferred protocols to access the router. For example, permit only SSH requests from the IP address of the administration host to initiate a connection to the routers in the network.

Reference: www.cisco.com