Securing Cisco
Routers
By
Raman Sud,
Ken Edelman.
Terms you'll
need to understand:
Techniques
you'll need to master:
-
Securing
console access
-
Securing VTY
access
-
Securing
passwords
-
Securing
Simple Network Management Protocol (SNMP)
-
Disabling
router services and interfaces
-
Following
rules for creating ACLs
-
Configuring
ACLs for threat mitigation
Introduction
In this
chapter, you will learn about all the different ways you can secure a Cisco
router from hackers and out-of-band threats. We discuss the different services
you need to know when configuring a router.
We also delve
into configuring access lists and the different access lists that are
available to you as a network engineer that you can use to protect your
network backbone.
Threat
mitigation is an important aspect of network security, and as a security
expert, it is your prime objective to ensure that you protect your network and
mitigate threats that arise.
Assessing the
Risk
The most
important thing you need to understand is the risks involved in setting up
networks via insecure installations. Insecure installation of network devices
such as routers and switches would be classified as installs that can be
attacked physically or via a configuration weakness.
Let us give you
an example: Keeping your network devices under lock and key would prevent
meditated physical attacks on the devices. It all depends on the type of
environment you work in. Risk can be classified as low or high. High risk is
associated with mission-critical devices, and these devices, in most cases,
are your backbone routers and distribution layer switches.
Various
Physical Threats and Mitigation
Physical
threats have four parts:
-
Hardware
threats—All threats that are associated with physical damage to the
routers and switches are classified as hardware threats. You can mitigate
hardware threats by providing controlled access to the facilities. You limit
access to only network-related personnel into the main distribution facility
(MDF), intermediate distribution facility (IDF), and network operations
center (NOC). You can provide security by ensuring that there is no access
to the facility via the ceiling, raised floors, AC ducts, or windows. You
can also mitigate hardware threats by using security cameras and by logging
entry attempts.
-
Environmental threats—Threats associated with climatic conditions are
environmental threats. To mitigate environmental threats, you need to ensure
that there is adequate ventilation in the facility and that the temperature
and humidity levels are maintained in accordance with the specifications
defined in the equipment documentation. Once these parameters are in place,
ensure that you have the ability to remotely manage and monitor temperature
and humidity controls. Also make sure that the facility is free from
electrostatic discharge (ESD) and magnetic interference.
-
Electrical
threats—Brown-outs, spikes, inadequate power supply, noise, and power
loss are typical examples of electrical threats. We highly recommend that
your mission-critical devices are hooked up to an uninterruptible power
supply (UPS). A UPS provides line conditioning and protects your network
devices against irregularities in your power-distribution system. Ensure
that you have redundant power supplies in your network devices (if they
support them) or some hot spares at the facility. This measure reduces the
amount of downtime on your network. A generator can be an alternate source
for power in case of a power outage if your environment is mission critical.
-
Maintenance threats—Poor cabling, faulty labeling, and electronic
devices without adequate ESD deterrents are classified as maintenance
threats. Make sure that the equipment cabling is labeled properly and that a
proper labeling convention is followed. This measure helps in tracing cables
in the facility and aids in quick troubleshooting as well. Ensure that
cables have smooth bends when you go around the corner. You want no kinks on
the cable, so you can guarantee the smooth flow of data.
Securing the
Network Using Cisco Routers
It is imperative
that the networks be secured using some kind of security policy and parameters.
The perimeter routers must be secured so that the corporate LAN resources are
protected from the outside world.
Perimeter
security comes in different forms. If you have a small network with only one
router separating you from the rest of the world, it becomes imperative that the
perimeter router be secured. This security helps you protect your internal
resources.
Perimeter Router
and PIX Firewall
Medium-size
businesses can take security to the next level by deploying a firewall between
the perimeter router and the internal network. The perimeter router provides
support to the firewall by filtering out unnecessary traffic from coming into
the network.
Perimeter Router
Running the Firewall Feature Set
If you are a
small- to medium-size network, you can use Cisco routers as a firewall as well.
You have to load the firewall feature set on the router. Once the firewall
feature set is installed on the router, you can then configure it to provide
protection to your network using packet filtering.
You must
understand that the firewall feature set does not provide the same level of
protection as the PIX Firewall.
Perimeter
Router, Firewall, and Internal Router
Large businesses
use a three-tiered approach to network security. The perimeter routers provide
preliminary protection to the PIX Firewall. The firewall then does the actual
packet filtering, and finally, the internal router ensures that certain VLANs
are protected from traffic coming into the corporate LANs.
|