`

Term paper ON
Security of Cisco routers

(Submitted in the 5th semester Of Master of Computer Applications)

Submitted to:
Mr. Parvesh Mor

Submitted By: Amit kumar pandey Roll No.: RD1E26B18 Section: D1E43

Introduction
Cisco IOS is software se! o" #ost Cisco S$ste#s ro ters a"! c rre"t Cisco "etwor% switches. IOS is a &ac%a'e of ro ti"'( switchi"'( i"ter"etwor%i"' a"! te)eco## "icatio"s f "ctio"s i"te'rate! i"to a # )titas%i"' o&erati"' s$ste#.Cisco IOS (originally Internet or! Operating System) is soft are used on most

Cisco Systems routers and current Cisco net or! s itches" (#arlier s itches ran CatOS") IOS is a pac!age of routing$ s itching$ internet or!ing and telecommunications functions integrated into a multitas!ing operating system" The IOS Tcl command line interface pro%ides a fi&ed set of multiple' ord commands" The set a%ailable is determined by the (mode( and the pri%ilege le%el of the current user" ()lobal configuration mode( pro%ides commands to change the system*s configuration$ and (interface configuration mode( pro%ides commands to change the configuration of a specific interface" All commands are assigned a pri%ilege le%el$ from + to ,5$ and can only be accessed by users ith the necessary pri%ilege" Through the C-I$ the commands a%ailable to each pri%ilege le%el can be defined"This document contains information to help you secure your Cisco IOS . system de%ices$ hich increases the o%erall security of your net or!" Structured around the three planes into hich functions of a net or! de%ice can be categori/ed$ this document pro%ides an o%er%ie of each included feature and references to related documentation" The three functional planes of a net or!$ the management plane$ control plane$ and data plane$ each pro%ide different functionality that needs to be protected"

Management Plane0The management plane manages traffic that is sent to the Cisco IOS de%ice and is made up of applications and protocols such as SS1 and S2M3" Control Plane0The control plane of a net or! de%ice processes the traffic that is paramount to maintaining the functionality of the net or! infrastructure" The control plane consists of applications and protocols bet een net or! de%ices$ hich includes the 4order )ate ay 3rotocol (4)3)$ as ell as the Interior )ate ay 3rotocols (I)3s) such as the #nhanced Interior )ate ay 5outing 3rotocol (#I)53) and Open Shortest 3ath 6irst (OS36)" Data Plane0The data plane for ards data through a net or! de%ice" The data plane does not include traffic that is sent to the local Cisco IOS de%ice"

Versioning
2

Cisco IOS is %ersioned using three numbers and some letters$ in the general form a"b(c"d)e$ here7 ,)a is the ma8or %ersion number" 9)b is the minor %ersion number" :)c is the release number$ hich begins at one and increments as ne releases in the same a"b train are released" (Train( is Cisco'spea! for$ ("""a %ehicle for deli%ering Cisco soft are to a specific set of platforms and features""( ;)d (omitted from general releases) is the interim build number" 5)e (/ero$ one or t o letters) is the soft are release train identifier$ such as none ( hich designates the mainline$ see belo )$ T (for Technology)$ # (for #nterprise)$ S (for Ser%ice pro%ider)$ <A as a special functionality train$ <4 as a different special functionality train$ etc"

Bringing Up a Routers = po er'on = self'test (3OST) = load the Cisco IOS from flash memory = IOS loads and loo!s for a %alid configuration(stored by default in non%olatile 5AM$ or 2>5AM)
3

Logging into t e Router

= After the interface status messages appear and you press #nter$ the 5outer? prompt ill appear" This is called user exec mode (user mode) and it@s mostly used to %ie statistics$ but it@s also a stepping'stone to logging into pri%ileged mode" Aou can only %ie and change the configuration of a Cisco router in privileged exec mode (pri%ileged mode)$ hich you get into ith the enable command" = = = 5outer? 5outer?enable 5outerB

Security: !Router and S"itc #dministrati$e %unctions&security' = 1ostnames = = = 4anners 3ass ord Interface descriptions

(ostnames = 5outerBcon)ig t
4

= #nter configuration commands$ one per line" #nd ith = C2T-CD" = 5outer(config)B ostname *odd = Todd(config)B ostname #tlanta = Atlanta(config)B Banners
= A banner is more than 8ust a little cool0one %ery good reason for ha%ing a banner is to gi%e any and all ho dare attempt to telnet or dial into your internet or! a little security notice"

)our a$ailable banner types = e&ec process creation banner = incoming terminal line banner = login banner = message of the day banner = Message of the day (MOTE) is the most e&tensi%ely used banner" It gi%es a message to e%ery person dialing into or connecting to the router %ia Telnet or au&iliary port$ or e%en through a console port Setting Pass"ords = There are fi%e pass ords used to secure your Cisco routers7
*

F console F Au&iliary F telnet (>TA) F enable pass ord F enable secret" +nable Pass"ords = Console and Au&iliary used to set your enable pass ord that@s used to secure pri%ileged mode" This ill prompt a user for a pass ord hen the enable command is used"

e,ample o) setting t e enable pass"ords: = 5outer(config)Benable secret todd = 5outer(config)Benable pass ord todd = The enable pass ord you ha%e chosen is the same as your enable secret" This is not recommended" 5e'enter the enable pass ord"

User!mode pass"ords = 5outer(config)Bline G

6

= H+'I+? 6irst -ine number = au& Au&iliary line = console 3rimary terminal line = tty Terminal controller = %ty >irtual terminal = &Cy SlotC3ort for Modems = au, Sets the user'mode pass ord for the au&iliary port" = console Sets a console user'mode pass ord" $ty Sets a Telnet pass ord on the router *elnet Pass"ord
= = = = = = 5outer(config'line)Bline %ty + G H,';? -ast -ine 2umber Hcr? 5outer(config'line)Bline %ty + ; 5outer(config'line)B pass ord todd9 5outer(config'line)B login #ncrypting Aour 3ass ords = 4ecause only the enable secret pass ord is encrypted by default$ you@ll need to manually configure the user'mode and enable pass ords for encryption"

To manually encrypt your pass ords$ use the ser%ice pass ord'encryption command"

= = =

5outerBconfig t #nter configuration commands$ one per line" #nd ith C2T-CD" 5outer(config)Bser%ice pass ord'encryption

Secure Operations
Secure net or! operations is a substantial topic" Although most of this document is de%oted to the secure configuration of a Cisco IOS de%ice$ configurations alone do not completely secure a net or!" The operational procedures in use on the net or! contribute as much to security as the configuration of the underlying de%ices"

1))Monitor Cisco Security Advisories and Responses

The Cisco 3roduct Security Incident 5esponse Team (3SI5T) creates and maintains publications$ commonly referred to as 3SI5T Ad%isories$ for security'related issues in Cisco products" The method used for communication of less se%ere issues is the Cisco Security 5esponse" 9) * e #ut entication- #ut ori.ation- and #ccounting &###' frame or! is %ital to securing net or! de%ices" The AAA frame or! pro%ides authentication of management sessions and can also limit users to specific$ administrator'defined commands and log all commands entered by all users" See the Jsing Authentication$ Authori/ation$ and Accounting section of this document for more information about le%eraging AAA"

3) Centralize Log Collection and Monitoring

In order to gain an understanding of e&isting$ emerging$ and historic e%ents related to security incidents$ your organi/ation needs to ha%e a unified strategy for e%ent logging and correlation" This strategy must le%erage logging from all net or! de%ices and use pre' pac!aged and customi/able correlation capabilities" After centrali/ed logging is implemented$ you must de%elop a structured approach to log analysis and incident trac!ing" 4ased on the needs of your organi/ation$ this approach can range from a simple diligent re%ie of log data to ad%anced rule'based analysis"

4) Use Secure Protocols W en Possi!le

Many protocols are used in order to carry sensiti%e net or! management data" Aou must use secure protocols hene%er possible" A secure protocol choice includes the use of SS1 instead of Telnet so that both authentication data and management information are encrypted" In addition$ you must use secure file transfer protocols hen you copy
8

configuration data" An e&ample is the use of the Secure Copy 3rotocol (SC3) in place of 6T3 or T6T3"

Re)erences /' ttp:00""".cisco.com0en0US0products0ps12340 5' ttp:00""".cisco.com0en0US0tec 0t61370t681/0tec nologie s9tec 9note4:/71a4474/54)37.s tml 8' ttp:00""".cisco.com0en0US0tec 0t61370t681/0tec nologie s9tec 9note4:/71a4474/54)37.s tml 3' ttp:00""".cisco.com0en0US0products0ps:8420inde,. tml 2' ttp:00""".cisco.com0en0US0products0s"0securs"0ps28/70

1-

Key fingerprint L A6,M 6A9I 96M; MMNE 6E45 E#:E 6N45 +O#; A,OM ;#;O

11