Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

By | 16/04/2017

A compromised router for example can be devastating to the whole security of the enterprise since it can be used to gain access to data, reconfigured to route traffic to other destinations, used to launch attacks to other networks, used to gain access to other internal resources etc. Therefore, hardening the network devices themselves is essential for enhancing the whole security of the enterprise.

Cisco separates a network device in 3 functional elements called “Planes”. These are the following:

  • Management Plane: This is about the management of a network device. The management plane is used to access, configure, manage and monitor a network device. The security of the management plane is discussed in this article.
  • Control Plane: Control plane consists of the protocols and processes that communicate between network devices in order to move data from source to destination. This includes routing protocols such as the BGP, OSPF, signaling protocols etc.
  • Data Plane: The data plane is responsible for moving data from source to destination. This is where most data packets are flowing within the network device (usually hardware accelerated as well).

From the three Planes above, the Management Plane first and the Control Plane second are the most important to secure.

In this article we will focus on Management Plane security and discuss the 10 most important steps to harden a Cisco IOS network device.

The security checklist below is not exhaustive but it includes the most important commands and configurations that will lock down a Cisco IOS network device and enhance its security and that of the whole network as well. The checklist below applies to both Cisco Routers and Switches as well.

1) Create an Enable Secret Password
In order to grant privileged administrative access to the IOS device, you should create a strong “Enable Secret” Password. I suggest to use a password with at least 10 characters long consisting of alphanumeric and special symbols.

Make sure to use the “enable secret” command which creates a password with strong encryption.

Router# config terminal
Router(config)# enable secret strongpassword

2) Encrypt Passwords on the device
All the passwords configured on the Cisco device (except the “enable secret”) are shown as clear text in the configuration file. In order to encrypt the clear text passwords and obscure them from showing in the configuration file, use the global command “service password-encryption”.

Router# config terminal
Router(config)# service password-encryption

The command above uses a fairly weak Vigenre cipher which can be decrypted with software tools. It is used mainly to prevent casual observers from reading passwords, such as when they look at the screen over the shoulder of an administrator.

3) Use an external AAA server for User Authentication
Instead of using local user accounts on each device for administrator access, it’s much more secure, flexible and scalable to use an external AAA server (TACACS+ or RADIUS) to handle the Authentication, Authorization and Accounting of users’ access to the devices.

With a centralized AAA server you can easily change/enable/disable account passwords, enforce strong password policies, monitor account usage and user access etc.

MORE READING: Password Security for Cisco IOS Devices

Here we will see how to configure both TACACS+ and RADIUS AAA servers with “enable secret” password as fallback if the AAA server is not available.

TACACS+
Router# config terminal
Router(config)# enable secret K6dn!#scfw35 <- Create first an “enable secret” password
Router(config)# aaa new-model <- Enable the AAA service
Router(config)# aaa authentication login default group tacacs+ enable <-Use TACACS for authentication with “enable” password as fallback
Router(config)# tacacs-server host 192.168.1.10 <- assign the internal AAA server
Router(config)# tacacs-server key ‘secret-key’ <- secret key configured on AAA server
Router(config)# line vty 0 4
Router(config-line)# login authentication default <- Apply AAA authentication to VTY lines (Telnet, SSH etc)
Router(config-line)# exit
Router(config)# line con 0 <- Apply AAA authentication to console port
Router(config-line)# login authentication default

RADIUS
Router# config terminal
Router(config)# enable secret K6dn!#scfw35 <- Create first an “enable secret” password
Router(config)# aaa new-model <- Enable the AAA service
Router(config)# aaa authentication login default group radius enable <- Use RADIUS for authentication with “enable” password as fallback
Router(config)# radius-server host 192.168.1.10 <- assign the internal AAA server
Router(config)# radius-server key ‘secret-key’ <- secret key configured on AAA server
Router(config)# line vty 0 4
Router(config-line)# login authentication default <- Apply AAA authentication to VTY lines (Telnet, SSH etc)
Router(config-line)# exit
Router(config)# line con 0 <- Apply AAA authentication to console port
Router(config-line)# login authentication default

4) Create separate local accounts for User Authentication
If you can’t install and use an external AAA server as discussed in the previous section, at a bare minimum create separate local accounts for anyone that you will give access to your devices.

If you have for example 3 network administrators and you have to use local device accounts for them, then create a personalized user account for each administrator. This accomplishes accountability for each different administrator about the actions performed on the device.

Moreover, from IOS version 12.2(8)T and later you can configure “Enhanced Password Security” for local accounts created on the device. This means that local accounts will be encrypted with MD5 hash.

Let’s configure 3 different local administrator accounts with “Enhanced Password Security”.

Router# config terminal
Router(config)# username john-admin secret Lms!a2eZSf*%
Router(config)# username david-admin secret d4N3$6&%sf
Router(config)# username mary-admin secret 54sxSFT*&(zsd

5) Configure Maximum Failed Authentication Attempts
To avoid brute force password attacks to the devices, you can configure maximum number of failed login attempts so that a user will be locked out after this threshold.

This works for local user accounts on the devices.

Router# config terminal
Router(config)# username john-admin secret Lms!a2eZSf*%
Router(config)# aaa new-model
Router(config)# aaa local authentication attempts max-fail 5 <- max 5 failed login attempts
Router(config)# aaa authentication login default local

6) Restrict Management Access to the devices to specific IPs only
This is probably one of the most important security configurations on Cisco network devices. You should restrict what IP addresses can Telnet or SSH to your devices. This should be limited to a few management systems that administrators will be using to manage the network.

Assume that the administrators’ subnet is 192.168.1.0/28

Router# config terminal
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.15
Router(config)# line vty 0 4
Router(config)# access-class 10 in <- Apply IP restrictions to all VTY lines (for Telnet or SSH)

7) Enable Logging
Logging is very useful for monitoring, incident response and auditing. You can enable logging to an internal buffer of the device or to an external Log server. The latter is much more flexible and helpful since you can store much more log data and perform analysis on logs much easier than local logging.

MORE READING: Protecting the Telnet VTY Lines of Cisco Devices

There are 8 different logging levels (from 0 to 7) each one giving progressively more log data details. You should avoid logging level 7 (debug) since it will overload the device.

Here we will discuss both buffered logging (internal to the device) and Logging to an external Server. You can have both if you want as shown below.

Router# config terminal
Router(config)# logging trap 6 <- Enable logging level 6 for logs sent to external server
Router(config)# logging buffered 5 <- Enable logging level 5 for logs stored locally in buffer
Router(config)# service timestamps log datetime msec show-timezone <- Include timestamps in logs with millisecond precision
Router(config)# logging host 192.168.1.2 <- Send logs to external log server
Router(config)# logging source-interface ethernet 1/0 <- Use Eth1/0 to send log messages

8) Enable Network Time Protocol (NTP)
This step is essential for the previous section about logging. You must have accurate and uniform clock settings on all network devices in order for log data to be stamped with the correct time and timezone. This will help tremendously in incident handling and proper log monitoring and correlation.

You can either configure an internal or external NTP server (there are several public NTP servers that you can use as well).

Router# config terminal
Router(config)# ntp server 1.1.1.1
Router(config)# ntp server 2.2.2.2

9) Use Secure Management Protocols if possible
Telnet is the default management protocol for Command Line access to Cisco devices. However, all management traffic is clear-text with Telnet. For security reasons, prefer SSH for management instead of Telnet.

Let’s see how to configure SSH access to a Cisco device.

Router# config terminal
Router(config)# hostname London
London(config)# ip domain-name mydomain.com
London(config)# ip ssh version 2
London(config)# crypto key generate rsa modulus 2048
London(config)# ip ssh time-out 60
London(config)# ip ssh authentication-retries 3
London(config)# line vty 0 4
London(config-line)# transport input ssh

SSH requires to have a hostname and domain-name configured and also to generate SSH keys. Also, on VTY lines allow SSH protocol only.

10) Restrict and Secure SNMP Access
The Simple Network Management Protocol (SNMP) can be very useful to collect information from network devices but can also pose a security risk if not configured properly.

SNMP protocol uses a “Community String” which acts as password for restricting access (Read Only or Read/Write) to the SNMP data on the device. In addition to configuring a strong Community String, IP filtering must also be applied to allow SNMP access only from few management workstations.

Let’s configure two Community strings (one “READ ONLY” and another one “READ/WRITE”) and also apply IP address control with ACLs.

Router# config terminal
Router(config)# access-list 11 permit 192.168.1.0 0.0.0.15
Router(config)# access-list 12 permit 192.168.1.1
Router(config)# snmp-server community [email protected]#w5SDF RO 11 <- Create Read Only (RO) community string and use ACL 11 to allow SNMP access
Router(config)# snmp-server community Xcv4#56&454sdS RW 12 <- Create Read Write (RW) community string and use ACL 12 to allow SNMP access

The above commands allow the administrators subnet 192.168.1.0/28 to have Read Only SNMP access to devices and also allows host 192.168.1.1 to have full Read/Write SNMP access to devices.

In a different post I will discuss security of the Control Plane so stay tuned.

[signinlocker id=”88″]Cisco Router Switch Security Hardening[/signinlocker]

68 thoughts on “Security Hardening Checklist for Cisco Routers/Switches in 10 Steps

  1. togel

    Hi there everybody, here every one is sharing these
    kinds of know-how, so it’s pleasant to read this web site,
    and I used to pay a visit this blog every day.

    Reply
  2. dit me thang ngu lon

    I do not even know the way I finished up here, but I believed this submit was great.

    I do not understand who you’re however definitely you are going to a well-known blogger in case you are not already.
    Cheers!

    Reply
  3. smartphone

    My wife and i were now lucky that Jordan managed to complete his homework
    from the ideas he had from your weblog. It is now and
    again perplexing just to be giving for free things which some other people may
    have been selling. So we acknowledge we have got the
    website owner to thank for this. All of the illustrations you
    have made, the straightforward web site menu, the relationships
    you help to instill – it’s got mostly fabulous, and it’s facilitating our son and
    us reason why the topic is exciting, which is unbelievably serious.

    Thank you for the whole lot!

    Reply
  4. mobile phone

    You could definitely see your expertise in the paintings you write.
    The sector hopes for even more passionate writers like you who are not afraid
    to mention how they believe. All the time go
    after your heart.

    Reply
  5. smartphone

    Excellent site you have got here.. It?s difficult to find quality
    writing like yours nowadays. I truly appreciate people like you!

    Take care!!

    Reply
  6. mobile phone

    I always used to read post in news papers but now as I am a user of net therefore from now I am using net for posts,
    thanks to web.

    Reply
  7. smartphone

    I’ve been browsing online greater than 3 hours today, but
    I never found any interesting article like yours.
    It’s pretty price sufficient for me. In my opinion, if all website owners and bloggers made just right content material as you did,
    the internet will probably be much more helpful than ever before.

    Reply
  8. mobile phone

    It’s amazing to go to see this web page and reading the views of all friends on the topic of this article, while I am also zealous
    of getting experience.

    Reply
  9. mobile

    I’m extremely impressed with your writing skills and also with the layout
    on your weblog. Is this a paid theme or did you customize it yourself?
    Either way keep up the excellent quality writing,
    it’s rare to see a great blog like this one today.

    Reply
  10. mobile

    I am also writing to make you know what a beneficial discovery my friend’s child undergone browsing your site.
    She came to find several issues, not to mention what it is like to have
    a marvelous helping style to let most people just learn about some tortuous subject
    matter. You actually exceeded our expectations. Many
    thanks for displaying those warm and helpful, trusted, revealing and also
    unique guidance on your topic to Sandra.

    Reply
  11. best t-mobile

    Whats up very nice blog!! Guy .. Excellent .. Amazing ..
    I’ll bookmark your web site and take the feeds also…I am
    happy to seek out numerous helpful information here within the submit, we need develop
    extra strategies in this regard, thank you for sharing.

    Reply
  12. mobile

    Lovely just what I was looking for. Thanks to the author for taking his clock time on this
    one.

    Reply
  13. mua ban iphone x Cu

    I savor, lead to I discovered exactly what I was
    having a look for. You have ended my 4 day lengthy hunt!
    God Bless you man. Have a great day. Bye

    Reply
  14. http://nowpoker.net

    obviously like your web site but you have to test the spelling on several of your posts.

    A number of them are rife with spelling issues and I in finding it very
    bothersome to tell the truth on the other hand I will surely come
    back again.

    Reply
  15. cellphone technology

    Great web site you have here.. It?s hard to
    find high-quality writing like yours these days.
    I seriously appreciate people like you! Take care!!

    Reply
  16. best t-mobile

    I actually still cannot quite think that I could always be one of those reading the important recommendations found on your site.

    My family and I are sincerely thankful on your generosity and for providing me the advantage to pursue
    this chosen career path. Thank you for the important information I got from your web-site.

    Reply
  17. smartphone

    Thanks a bunch for sharing this with all of us you actually know what you’re speaking
    approximately! Bookmarked. Kindly additionally seek advice from my
    site =). We will have a hyperlink trade contract among us!

    Reply
  18. gia iphone x cu

    It’s a pity you don’t have a donate button! I’d definitely donate to this excellent blog!
    I guess for now i’ll settle for book-marking and adding your RSS feed to my Google account.
    I look forward to brand new updates and will talk about
    this website with my Facebook group. Chat soon!

    Reply
  19. redmi note 4x

    Thanks for some other magnificent post. Where else may just anyone get that type of info in such a
    perfect way of writing? I have a presentation next week,
    and I am on the search for such info.

    Reply
  20. mobile phone

    Hi there i am kavin, its my first time to commenting
    anywhere, when i read this post i thought i could also create comment due to this
    sensible article.

    Reply
  21. dien Thoai xiaomi redmi note 4x

    It’s a shame you don’t have a donate button! I’d without a doubt donate to this excellent blog!
    I suppose for now i’ll settle for bookmarking and adding your RSS feed to my Google account.
    I look forward to fresh updates and will talk about this
    website with my Facebook group. Talk soon!

    Reply
  22. xiaomi redmi note 4x

    If some one desires expert view concerning blogging after that i
    recommend him/her to go to see this website, Keep up the good job.

    Reply
  23. gia redmi note 4x

    Hmm is anyone else experiencing problems with the images on this blog loading?
    I’m trying to determine if its a problem on my end or if it’s the blog.

    Any feed-back would be greatly appreciated.

    Reply
  24. mobile phone

    Good post and straight to the point. I don’t know if this is really the
    best place to ask but do you guys have any thoughts on where to employ some professional writers?
    Thank you 🙂

    Reply
  25. agen poker online indonesia

    Hello there, just became aware of your blog through Google, and found that it’s really informative.
    I’m going to watch out for brussels. I’ll be grateful if you continue
    this in future. Lots of people will be benefited from your writing.
    Cheers!

    Reply
  26. http://agenjudisbobet.in

    Great post. I was checking constantly this blog and
    I’m impressed! Extremely useful info specially the last part 🙂 I care
    for such information a lot. I was looking for this certain information for a long time.
    Thank you and best of luck.

    Reply
  27. Ryan

    You actually make it appear so easy with your presentation however
    I find this topic to be really one thing which I feel I would by no means understand.
    It seems too complex and extremely huge for me. I am having a
    look forward in your next post, I’ll attempt to get
    the hold of it!

    Reply
  28. zorropervertido.com

    Hi there, There’s no doubt that your web site could be having browser compatibility problems.
    Whenever I look at your site in Safari, it looks fine however,
    when opening in I.E., it has some overlapping issues.
    I simply wanted to give you a quick heads up! Besides that,
    excellent site!

    Reply
  29. Agen Sbobet

    My family always say that I am wasting my time here at web, except I know
    I am getting know-how daily by reading such nice articles.

    Reply
  30. agen sbobet

    Good info. Lucky me I ran across your site by chance (stumbleupon).
    I have book-marked it for later!

    Reply
  31. agen sbobet Resmi

    I appreciate, cause I found just what I was looking for.
    You have ended my 4 day lengthy hunt! God Bless you man. Have a nice day.

    Bye

    Reply
  32. Agen Maxbet terpercaya

    I believe that is one of the most vital information for me.
    And i’m glad reading your article. But wanna observation on some common issues,
    The site taste is perfect, the articles is really nice : D.
    Good task, cheers

    Reply
  33. situs judi online

    I know this if off topic but I’m looking into starting my own blog and was curious what all is required to get setup?
    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very web savvy so I’m not 100% sure. Any tips or advice would be greatly
    appreciated. Kudos

    Reply
  34. http://Agenjudi212.com/

    Hi there, i read your blog occasionally and i own a similar one and i was just wondering if you get a lot of spam remarks?
    If so how do you protect against it, any plugin or anything you can recommend?
    I get so much lately it’s driving me mad so any support is
    very much appreciated.

    Reply
  35. agen sbobet online

    Awesome things here. I’m very satisfied to see your
    post. Thanks a lot and I am having a look ahead to touch you.
    Will you kindly drop me a mail?

    Reply
  36. situs agen sbobet

    Hi, Neat post. There is an issue with your
    site in internet explorer, could test this? IE still is the marketplace chief and a good section of people
    will leave out your magnificent writing due to this problem.

    Reply
  37. bandar judi bola piala dunia2018

    It is the best time to make a few plans for the future and it’s time
    to be happy. I have read this post and if I may I want to suggest you some interesting issues or tips.
    Perhaps you could write next articles regarding this article.
    I want to learn even more things approximately it!

    Reply
  38. agen sbobet terpercaya

    Very great post. I just stumbled upon your weblog and
    wanted to mention that I have really enjoyed surfing around
    your weblog posts. In any case I’ll be subscribing in your rss feed and I am hoping you write again very soon!

    Reply
  39. Judisbobet.in

    Hi! I could have sworn I’ve visited your blog before but after looking at
    many of the posts I realized it’s new to me.
    Nonetheless, I’m certainly pleased I came across it and I’ll
    be book-marking it and checking back often!

    Reply
  40. agen sbobet resmi

    Hi, I do believe this is a great web site.
    I stumbledupon it 😉 I’m going to return once again since I bookmarked it.
    Money and freedom is the best way to change, may you be rich and continue to guide others.

    Reply
  41. Diane

    Pretty component of content. I just stumbled upon your blog and in accession capital to assert that I get
    actually loved account your blog posts. Any way I’ll be subscribing
    in your augment and even I achievement you get
    right of entry to consistently quickly.

    Reply
  42. agen maxbet online

    Hi! Someone in my Myspace group shared this website with us so I
    came to look it over. I’m definitely enjoying the information. I’m bookmarking and will be tweeting
    this to my followers! Exceptional blog and great design.

    Reply
  43. poker online indonesia

    When someone writes an paragraph he/she keeps the idea of a user in his/her brain that how a user can be aware of it.
    Thus that’s why this article is perfect. Thanks!

    Reply
  44. judi online

    I pay a quick visit every day a few websites and information sites to read articles, except this website offers quality based articles.

    Reply
  45. agen judi online indonesia

    Nice blog here! Also your site loads up very fast!

    What web host are you using? Can I get your affiliate link to your host?
    I wish my website loaded up as quickly as yours lol

    Reply
  46. Agen sbobet Terpercaya

    Hi! I know this is kinda off topic but I’d figured I’d ask.
    Would you be interested in trading links or maybe guest writing a blog
    post or vice-versa? My blog discusses a lot of the same
    topics as yours and I think we could greatly benefit from each other.
    If you’re interested feel free to send me an e-mail.
    I look forward to hearing from you! Excellent blog by the way!

    Reply
  47. agen maxbet

    I do trust all the ideas you have introduced to your post. They are really convincing
    and can definitely work. Nonetheless, the posts are very short for newbies.
    May just you please prolong them a bit from subsequent time?
    Thank you for the post.

    Reply
  48. Lapurrd.com/situs-agen-sbobet/

    Thanks for some other informative website. Where else
    could I am getting that type of information written in such an ideal manner?
    I’ve a mission that I am just now working on, and I have been at the glance out
    for such information.

    Reply
  49. Classic

    I like the helpful information you provide in your articles.
    I’ll bookmark your blog and check again here regularly.
    I am quite certain I’ll learn lots of new stuff
    right here! Good luck for the next!

    Reply
  50. clickbet88.co

    I have been browsing online more than three hours as of late, but I never found any
    fascinating article like yours. It’s beautiful price sufficient
    for me. In my opinion, if all site owners and bloggers made good content material as you
    did, the internet will probably be a lot more helpful than ever before.

    Reply
  51. youjizz

    Very shortly hіs website wilⅼ be famous amⲟng aⅼl blog people, dᥙe tߋ it’ѕ goߋd posts

    Reply
  52. Daftar Judi Casino SBOBET

    Hello! I realize this is sort of off-topic however I had to ask.
    Does managing a well-established blog like yours require a large
    amount of work? I’m completely new to running a blog however I do
    write in my diary on a daily basis. I’d like to start
    a blog so I can easily share my experience and thoughts online.
    Please let me know if you have any kind of suggestions or
    tips for new aspiring blog owners. Appreciate it!

    Reply
  53. Jadwal Bola Piala Dunia

    Great post. I was checking continuously this blog and I am impressed!
    Very useful info specially the last part 🙂 I care for such information much.
    I was looking for this certain info for a very long time.
    Thank you and best of luck.

    Reply
  54. Agen Sbobet

    Its like you read my mind! You seem to know so much about
    this, like you wrote the book in it or something.

    I think that you can do with a few pics to drive the message home a little bit, but instead of
    that, this is magnificent blog. A fantastic read.
    I will definitely be back.

    Reply
  55. Thurman

    Exclusive or pitched assignments involve a motion picture producer or film director
    employing a single writer who’s often already begun to operate an idea into greater amounts of detail.
    Then the rolls were shipped to the studio to acquire the film strips
    developed ointo photographs. In 1782, the Emperor Joseph II even told Mozart that his German opera had .

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *