jueves, 15 de octubre de 2009

Mejorando la seguridad de un equipo Cisco con Auto Secure

Sabemos que la seguridad tiene que ser uno de los factores a tener en cuenta en cualquier implementación, y dejar un equipo configurado de modo que sea dificil de hackear involucra todo un reto.

Se deben deshabilitar servicios innecesarios, protocolos inseguros, AAA y varias cosas más que no todo el mundo conoce.

Ahora bien, IOS a partir de la versión 12.3 nos provee un feature llamado Auto Secure, que es una especie de asistente que puede hacer el hardening del equipo en forma interactiva (tal cual el modo setup que se accede al no tener la startup-config).

Para usarlo en la forma más básica,los pasos son los siguientes:

Router#auto secure                                                                  
                --- AutoSecure Configuration ---                                    

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***                             

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed 
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for 
Autosecure documentation.                                    
At any prompt you may enter '?' for help.                    
Use ctrl-c to abort this session at any prompt.              

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]: yes
Enter the number of interfaces facing the internet [1]: 1 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                192.168.1.1     YES manual up                    up      
GigabitEthernet0/0         192.168.2.1     YES manual up                    up      
GigabitEthernet1/0         192.168.3.1     YES manual up                    up      
GigabitEthernet2/0         192.168.4.1     YES manual up                    up      
SSLVPN-VIF0                unassigned      NO  unset  up                    up      
Enter the interface name that is facing the internet: Ethernet0/0                   

Securing Management plane services...

Disabling service finger
Disabling service pad   
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in  
Enabling service tcp-keepalives-out 
Disabling the cdp protocol          

Disabling the bootp server
Disabling the http server 
Disabling the finger service
Disabling source routing    
Disabling gratuitous arp    

Is SNMP used to manage the router? [yes/no]: yes
SNMPv1 & SNMPv2c are unsecure, try to use SNMPv3

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.                         

Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED. 
  You must have explicit permission to access this  
  device. All activities performed on this device   
  are logged. Any violations of access policy will result
  in disciplinary action.                                

Enter the security banner {Put the banner between
k and k, where k is any character}:              
#                                                
The access to this device or attached networks   
is prohibited without express written permission.
Violators will be prosecuted to the fullest extent
of both civil and criminal law.                   

We don't like you.

Go away!
#       

Configuration of local user database
Enter the username: ariel           
Enter the password:                 
Confirm the password:               
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks            
Configure the following parameters               

Blocking Period when Login Attack detected: 5

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 5

Configure SSH server? [yes]: yes
Enter the hostname: Router-Internet
Enter the domain-name: capaocho.net

Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply        
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...


Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:

no service finger
no service pad   
no service udp-small-servers
no service tcp-small-servers
service password-encryption 
service tcp-keepalives-in   
service tcp-keepalives-out  
no cdp run                  
no ip bootp server          
no ip http server           
no ip finger                
no ip source-route          
no ip gratuitous-arps       
no ip identd                
banner motd ^C              
The access to this device or attached networks
is prohibited without express written permission.
Violators will be prosecuted to the fullest extent
of both civil and criminal law.^C                 
security passwords min-length 6                   
security authentication failure rate 10 log       
username ariel password 7 021501590A151B284D40    
aaa new-model                                     
aaa authentication login local_auth local         
line con 0                                        
 login authentication local_auth                  
 exec-timeout 5 0                                 
 transport output telnet                          
line aux 0                                        
 login authentication local_auth                  
 exec-timeout 10 0                                
 transport output telnet                          
line vty 0 4                                      
 login authentication local_auth                  
 transport input telnet                           
login block-for 5 attempts 3 within 5             
hostname Router-Internet                          
ip domain-name capaocho.net                       
crypto key generate rsa general-keys modulus 1024 
ip ssh time-out 60                                
ip ssh authentication-retries 2                   
line vty 0 4                                      
 transport input ssh telnet                       
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone  
logging facility local2                                       
logging trap debugging                                        
service sequence-numbers                                      
logging console critical                                      
logging buffered                                              
interface Ethernet0/0                                         
 no ip redirects                                              
 no ip proxy-arp                                              
 no ip unreachables                                           
 no ip directed-broadcast                                     
 no ip mask-reply
 no mop enabled
interface GigabitEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface GigabitEthernet1/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface GigabitEthernet2/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny ip any any
interface Ethernet0/0
 ip inspect autosec_inspect out
 ip access-group autosec_firewall_acl in
!
end


Apply this configuration to running-config? [yes]:

Applying the config generated to running-config
The name for the keys will be: Router-Internet.capaocho.net

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Router-Internet#


Aunque las cosas automáticas no son siempre la mejor salida, se puede decir que este feature seguramente va a configurar varias cosas que no tenemos habilitadas.

Nos vemos en la próxima.

4 comentarios:

fede dijo...

Gracias por este y otros articulos de seguridad que he leido ultimamente en tu blog(IOS resielent)

He echo el curso CCNAsec y me estoy preparando la certificacion.
Ando algo "parado" con los firewall CBAC¿A ver si me podeis echar una mano?

La principal duda que me surge es donde colocarlo. He visto ejemplos de Cisco(los incluidos en PT y los de la curricula)que lo coloca en el interfaz interno y direccion entrante, y otros(como en este articulo y en el libro de Cisco del CCNAsec de Michael Watkins) donde lo coloca en el interfaz saliente y direccion saliente.

¿Me podrias aclarar porque tanto "lio"?¿Acaso las dos soluciones estan bien?

Espero haberme explicado con claridad.

Gracias de antemano y un saludo Ariel:D

Ariel S. Weher dijo...

Y no existe una receta única...

Todo depende de tu escenario.

Saludos

fede dijo...

Gracias por tu rapida respuesta Ariel:D

Anónimo dijo...

Información muy útil
Muchas gracias !!

Publicar un comentario