Securing the Management Plane of a Cisco Network Device

Date: Jul 11, 2011

When people think about the security of networking devices, they tend to think about the different types of attacks that can occur through these devices or what types of attack could be used to take down a networking device. A simpler idea, however, is to just take control of the device by attempting access using easy password or simply exploit lax management access policies. This article takes a look at a couple of the different features that can be used to secure the management plane of a Cisco network device (or devices) and reviews the basic configuration of these features.

When people think about the security of networking devices, they tend to think about the different types of attack that can occur through these devices or what types of attack could be used to take down a networking device. A simpler idea, however, is to just take control of the device by attempting access using easy passwords or simply exploiting lax management access policy. This article takes a look at a couple of the different features that can be used to secure the management plane of a Cisco network device(s) and reviews the basic configuration of these features.

Device Password and Command Security

Some of the easiest ways to protect a network device involve the implementation of a password and/or command configuration.

Device Passwords

One of the simplest methods to secure a device is by configuring a complex password (or passwords) that is used to access the device through the various login methods. There are a number of different passwords that are able to be configured on a Cisco device:

Enable password
Console password
VTY password
AUX password (on some devices)

Note, however, that Cisco devices, by default, store many passwords in the configuration in plaintext, which provides absolutely no password protection should the configuration file be accessed. This lack of protection can be prevented by issuing a single configuration command. The command required to prevent this issue is shown in the next section.

Device Password Configuration

The configuration of device passwords is rather simple and each is covered in the tables below:

Table 1

Step 1	Enter privileged mode.	router>enable
Step 2	Enter global configuration mode.	router#configure terminal
Step 3	Enable service password encryption. NOTE While this command does provide some level of password protection the encryption mechanism is not highly secure.	router(config)#service password-encryption
Step 4	Configure a secure privileged mode access password.	router(config)#enable secret password
Step 5	Enter console configuration mode.	router(config)#line con 0
Step 6	Configure a console password.	router(config-line)#password password
Step 7	Enter VTY configuration mode (on most devices the beginning line is 0 and the ending line is 4).	router(config-line)#line vty beginning-line ending-line
Step 8	Configure a VTY password.	router(config-line)#password password
Step 9	Enter AUX configuration mode (if available).	router(config-line)#line aux 0
Step 10	Configure a AUX password.	router(config-line)#password password
Step 11	Exit configuration mode.	router(config-line)#end

Privilege Levels

By default, users that log in to a Cisco device use one of two different privilege levels: 1 for user EXEC mode, and 15 for privileged EXEC mode. However, it is possible to configure the levels between 1 and 15 with access to a subset of commands. The configuration of different passwords and/or users within each configured privilege level can be either done on the device itself or via a Remote Authentication Dial In User Service (RADIUS) or Terminal Access Controller Access-Control System Plus (TACACS+) server.

Privilege Levels Configuration

There are two different methods of configuring the use of privilege levels on a Cisco device (not using RADIUS or TACACS+): using different enable passwords per privilege level, or configuring usernames that are set up with specific privilege levels. Both can be configured independently or together, and both utilize the same commands to setup the specific commands permitted within each level configured; Table 2 below shows the configuration commands required.

Table 2

Step 1	Enter privileged mode.	router>enable
Step 2	Enter global configuration mode.	router#configure terminal
Step 3	Configure the privilege levels and the commands that are permitted (this command can be entered multiple times). There are a number of different modes supported; the easiest way to look up these is to go here.	router(config)#privilege mode [all] {level level \| reset} command-string
Step 4	Configure a secure privileged mode access password using privilege levels.	router(config)#enable secret level level password
Step 5	Configure a username and password using privilege levels AND enable the used of the local database for login (this can be enabled on multiple line types).	router(config)#username username privilege level secret password AND router(config)#line line-type begin-line end-line AND router(config-line)#login local
Step 6	Exit configuration mode.	router(config-line)#end

AutoSecure

Another method to secure a Cisco networking device is to take advantage of the AutoSecure feature. The AutoSecure feature is used to automate a process that secures the access of a device. AutoSecure focuses on the security of the management plane and the forwarding plane, and allows them to be configured separately. Keep in mind that the AutoSecure feature uses the information that is in the existing configuration, which is entered in during configuration to make changes; if these configuration items are changed after the AutoSecure feature is run, a device can become insecure again.

AutoSecure Management Plane Security

The management plane security provided by the AutoSecure feature will automatically disable any unneeded or insecure services on the device, while at the same time enabling certain features to increase the security of the device. The different features that are affected are further classified into a number of sub-groups:

Enabling Global Services
- Passwords are prevented from being displayed in cleartext within the configuration (Using the service password-encryption)
- Abnormally closed or terminated TCP sessions are removed (Using the service tcp-keepalives-in and tcp-keepalives-out)
Disabling Global Services—The following services are disabled:
- Finger
- PAD
- Small Servers
- Bootp Server
- HTTP Server (May break management access)
- Identification Service
- Cisco Discovery Protocol (CDP) (May affect troubleshooting)
- Network Time Protocol (NTP)
- Source Routing
Disabling Per Interface Services—following services are disabled:
- ICMP redirects are disabled on all interfaces.
- ICMP unreachable are disabled on all interfaces.
- ICMP mask reply messages are disabled on all interfaces.
- Proxy-ARP is disabled on all interfaces.
- Directed broadcasts are disabled on all interfaces.
- Maintenance Operations Protocol (MOP) service is disabled on all interfaces.
Securing Access to the Router—The following features are configured:
- Device Text Banner is configured.
- Passwords are configured on the console, AUX, vty and tty lines.
- SSH and secure copy (SCP) are enabled if the devices is loaded with a crypto image.
- Simple Network Management Protocol is disabled if not required by the device.
- A local Authentication, Authorization, and Accounting username and password are configured.
Security Logging—The following features are configured:
- Sequence numbers and time stamps are enabled for all debugging and log messages.
- Logging messages are enabled for login-related events.
- Login attack security is enabled; this enabled the use of a “quiet mode” that disables login ability for an amount of time.
- System logging (syslog) is configured to send all messages to all available TTY lines and limits these messages to debugging severity.
- Internal message logging is enabled and is configured to limit messages based on the severity level.

AutoSecure Forwarding Plane Security

The forwarding plane security provided by the AutoSecure feature will configure features that are specific to potential attacks to the forwarding (data) plane:

Cisco Express Forwarding is enabled.
The TCP intercept feature is available to be configured.
Strict Unicast Reverse Path Forwarding (uRPF) feature is available to be configured.
The Context Based Access Control firewall is available to be configured.

AutoSecure Configuration

The steps required to configure the AutoSecure feature are shown in Table 2.

Table 3

Step 1	Enter privileged mode	router>enable
Step 2	Enter the AutoSecure configuration command	router#auto secure [management \| forwarding] [no-interact \| full] [ntp \| login \| ssh \| firewall]

Summary

There are certainly a number of different methods of exploiting network devices; the best advice to any network engineer is to try to protect for everything and to keep an eye on all attack attempts. Hopefully the information in this article will give a head start to those looking to secure the network device against management plane attacks.