Hardening Cisco Routers By Thomas Akin The unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification This page was updated May 18, 2005. UNCONFIRMED errors and comments from readers: (3) 2nd paragraph; "Attacks in which a hacker does disable anything are the truly dangerous ones. Without adequate monitoring and auditing, no one knows the network has been compromised." should read "Attacks in which a hacker does NOT disable anything ..." (3) 3rd paragraph; Missing verb: "... a key strategy IS to attack ..." [7] item "Major Release"; Garbled 2nd sentence, should likely read "... once a release becomeS a Major Release, no additional features or platforms WILL BE added ANYMORE." {17} top configuration example; The router prompts are wrong. The prompt Router(config-line)# should be in front of login tacacs instead of tacacs-server last-resort password (17) Caveat; "... can't tell the differenCE between ..." (19) 4th paragraph; "... in order TO prevent them." (27) largest paragraph; "... are allowed TO log in." {41} second block of code, second to last line; I believe the line: privilege exec level 1 show ip should read privilege exec level 15 show ip (45) explaination for example; The example indicates that tacacs+ failure will result in checking the local database (as setup by the username command), but the explination discusses the "enable password" and the "local enable password." The word enable should be stricken in both places (or the example should be changed to from "...tacacs+ local" to "... tacacs+ enable" [66] 2nd paragraph; second command example; ip classless is not a service. In fact it's a required statement for Classless IP routing (CIDR) to work. This is true if the router has varying sized subnets within an otherwise classful network present in the routing table for any reason. Disabling it can create serious routing problems in CIDR-capable environments such as OSPF, EIGRP, RIP2 or BGP4 which are all very common today. no ip classless used to be the default but, as of current releases, ip classless is now standard as it needs to be. Even if only RIP1 or static routes with single-sized subnet masks are used, it should still be on for future growth or change. It poses no significant security risk by being on even if it isn't strictly needed in a given environment. [84] "Ingress" paragraph; The prhase "Assume that your network is 130.218.0.0/16..." has the wrong address prefix: must be 130.18.0.0/16. The same apply to the two rows following. {85} second example of access-list 15; Example is missing exclude for 255.255.255.255/32 access-list 15 deny 255.255.255.255 0.0.0.0 (140) 4th paragraph; lectronic should be electronic [152] configuration example, access lists; The access-list configuration starts with a deny for 10.10.0.0. Two lines later a second deny for 10.0.0.0 is configured. Although the first one is for the "internal private" network, and the seccond part of the "block all private address space from the outside" it is not a good example. The examples on page 85 are much clearer. The same is true for the configuration example on page 156. (159) last line of configuration example; The last command is probably wrong, my router does not accept it: access-sclass 15 in is wrong and should be access-class 15 in Btw. the example ending on page 154 has the command right. {Ch. 10} "Access Lists"; In the sample chapter on "NTP Access Lists", a sample configuration is provided for 'RouterOne' which synchronises the router with three external NTP servers and peers with an internal router (RouterTwo). In order to synchronise with the external NTP servers (as defined with the ntp server command), the access list assigned to the "ntp access-group peer " command (access list 20 in the example) needs to include the IP addresses of the external servers, in addition to the IP address of the 'RouterTwo' NTP peer. Otherwise, the ntp associations will not be formed, as the "peer" access-group is the only access- group which will allow the router to synchronise itself to hosts specified in the access-list. E.g. (RouterTwo has IP address 135.26.2.1 RouterOne#config terminal Enter configuration commands, one per line. End with CNTL/Z. RouterOne(config)#ntp server 128.250.36.2 RouterOne(config)#ntp server 140.79.17.101 RouterOne(config)#ntp server 138.194.21.154 RouterOne(config)#ntp peer RouterTwo RouterOne(config)#access-list 20 permit 135.26.2.1 0.0.0.0 RouterOne(config)#access-list 20 permit 128.250.36.2 0.0.0.0 RouterOne(config)#access-list 20 permit 140.79.17.101 0.0.0.0 RouterOne(config)#access-list 20 permit 138.194.21.154 0.0.0.0 RouterOne(config)#access-list 20 deny any RouterOne(config)#ntp access-group peer 20 RouterOne(config)#access-list 21 permit 135.26.0.0 0.0.255.255 RouterOne(config)#access-list 21 deny any RouterOne(config)#ntp access-group serve-only 21 RouterOne(config)#^Z