Networking / Beginners

Router

The following sets of configuration guidelines are broad enough to address core elements of router security. To build a complete set of router hardening guidelines for your organization make sure to take a look at the additional resources listed at the end of this section.

Firmware Version

  • Update to the most current firmware if possible.
  • Check the vendor's web site for security advisories and/or bug notifications.
  • Avoid early deployment software in production environments.

User Access Controls

  • Ensure that a unique and complex password is set for each user level.
  • Restrict connectp, telnet, ssh, rlogin, "show login", and "show access-lists" commands to exec privilege only.
  • Add password authentication for Console, AUX, and VTY access.
  • Utilize higher encryption for stored passwords.
  • Set an inactivity timeout for sessions.
  • Configure remote access to utilize a TACAS+ or RADIUS server.
  • Ensure that settings are applied for local, modem, and network access as applicable.
  • Restrict network access to specified hosts.
  • Utilize SSH access instead of Telnet on supported IOSs.
  • Enable a nonidentifiable warning banner.

Router Services

  • Disable all nonessential router listening services (small-services).
  • Disable source routing.
  • Disable ICMP redirects.
  • Disable CDP, FINGER, IDENTD, BOOTP, DNS, TFTP (use scp), and HTTP.
  • Disable Finger.
  • Restrict network boot searches.
  • Allow only restricted SNMP read access; and without default community strings.
  • Enable encryption for SNMP (use SNMP v3).
  • Specify time updates from a trusted NTP server only.

Router Access Control Lists

  • Assign appropriate access zones.
  • Restrict ICMP activity.
  • Restrict essential service access with ACL.
  • Apply egress traffic filters.
  • Apply ingress traffic filters.
  • Enable rate limiting.
  • Enable protocol limiting to distribute bandwidth consumption during peak hours.
  • Enable static routing.
  • Review the use of HSRP, RIPv1, RIPv2, EIGRP, OSPF, and BGP.

Logging

  • Specify remote logging to trusted host.
  • Enable sequence entries to logs.
  • Send commands used on the router to the log server.
  • Log trap alerts and violations.
  • Synch network time.
  • Review log data.
[Previous] [Contents] [Next]

In this tutorial:

  1. Security Assessment
  2. System Assessmentand Hardening Concepts
  3. System and Host Hardening Methodology
  4. Checklists
  5. Microsoft Windows
  6. UNIX
  7. Web Server
  8. FTP Service
  9. Elements of DNS
  10. Mail
  11. Router
  12. Tools and Resources for Routers and Switches
  13. Wired Network
  14. Wireless Network
  15. Physical Security