Se deben deshabilitar servicios innecesarios, protocolos inseguros, AAA y varias cosas más que no todo el mundo conoce.
Ahora bien, IOS a partir de la versión 12.3 nos provee un feature llamado Auto Secure, que es una especie de asistente que puede hacer el hardening del equipo en forma interactiva (tal cual el modo setup que se accede al no tener la startup-config).
Para usarlo en la forma más básica,los pasos son los siguientes:
Router#auto secure --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: 1 Interface IP-Address OK? Method Status Protocol Ethernet0/0 192.168.1.1 YES manual up up GigabitEthernet0/0 192.168.2.1 YES manual up up GigabitEthernet1/0 192.168.3.1 YES manual up up GigabitEthernet2/0 192.168.4.1 YES manual up up SSLVPN-VIF0 unassigned NO unset up up Enter the interface name that is facing the internet: Ethernet0/0 Securing Management plane services... Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Is SNMP used to manage the router? [yes/no]: yes SNMPv1 & SNMPv2c are unsecure, try to use SNMPv3 Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements. Authorized Access only This system is the property of So-&-So-Enterprise. UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. You must have explicit permission to access this device. All activities performed on this device are logged. Any violations of access policy will result in disciplinary action. Enter the security banner {Put the banner between k and k, where k is any character}: # The access to this device or attached networks is prohibited without express written permission. Violators will be prosecuted to the fullest extent of both civil and criminal law. We don't like you. Go away! # Configuration of local user database Enter the username: ariel Enter the password: Confirm the password: Configuring AAA local authentication Configuring Console, Aux and VTY lines for local authentication, exec-timeout, and transport Securing device against Login Attacks Configure the following parameters Blocking Period when Login Attack detected: 5 Maximum Login failures with the device: 3 Maximum time period for crossing the failed login attempts: 5 Configure SSH server? [yes]: yes Enter the hostname: Router-Internet Enter the domain-name: capaocho.net Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services... Configure CBAC Firewall feature? [yes/no]: yes This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd banner motd ^C The access to this device or attached networks is prohibited without express written permission. Violators will be prosecuted to the fullest extent of both civil and criminal law.^C security passwords min-length 6 security authentication failure rate 10 log username ariel password 7 021501590A151B284D40 aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 4 login authentication local_auth transport input telnet login block-for 5 attempts 3 within 5 hostname Router-Internet ip domain-name capaocho.net crypto key generate rsa general-keys modulus 1024 ip ssh time-out 60 ip ssh authentication-retries 2 line vty 0 4 transport input ssh telnet service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface Ethernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface GigabitEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface GigabitEthernet1/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface GigabitEthernet2/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface Ethernet0/0 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in ! end Apply this configuration to running-config? [yes]: Applying the config generated to running-config The name for the keys will be: Router-Internet.capaocho.net % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] Router-Internet#
Aunque las cosas automáticas no son siempre la mejor salida, se puede decir que este feature seguramente va a configurar varias cosas que no tenemos habilitadas.
Nos vemos en la próxima.
4 comentarios:
Gracias por este y otros articulos de seguridad que he leido ultimamente en tu blog(IOS resielent)
He echo el curso CCNAsec y me estoy preparando la certificacion.
Ando algo "parado" con los firewall CBAC¿A ver si me podeis echar una mano?
La principal duda que me surge es donde colocarlo. He visto ejemplos de Cisco(los incluidos en PT y los de la curricula)que lo coloca en el interfaz interno y direccion entrante, y otros(como en este articulo y en el libro de Cisco del CCNAsec de Michael Watkins) donde lo coloca en el interfaz saliente y direccion saliente.
¿Me podrias aclarar porque tanto "lio"?¿Acaso las dos soluciones estan bien?
Espero haberme explicado con claridad.
Gracias de antemano y un saludo Ariel:D
Y no existe una receta única...
Todo depende de tu escenario.
Saludos
Gracias por tu rapida respuesta Ariel:D
Información muy útil
Muchas gracias !!
Publicar un comentario