Configuration hardening guides
By stretch | Friday, October 31, 2008 at 1:09 a.m. UTC
Do you harden your network device configurations? If not, you may want to start doing so.
Configuration hardening entails researching and employing various security measures in your baseline configuration templates. Simple modifications like disabling ICMP redirects or forcing VTY line encryption are simple to implement but can greatly reduce your network's vulnerability to an attacker. And the best part is, most of the hard work has already been done for you.
One great source for best practices is the US National Security Agency, known to its friends simply as NSA. When they're not busy illegally intercepting the communications of private citizens, it seems they can produce some quality documentation. The NSA publishes security configuration guides on many types of IT systems, from network gear to operating systems, with a heavy focus on Cisco IOS routers and switches. There's also some great VOIP and IPv6 information.
If the NSA's looming shadow puts you off, another great source for configuration guidelines is Team Cymru. In the long list of documents there you'll find recommendations for both IOS and JUNOS gear, as well as a number of platform-independent papers.
Lastly, Cisco maintains their own device hardening checklist, as do other companies. Note that many of these concepts are easily adapted and applied to equipment from a variety of vendors.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Resources
October 31, 2008 at 4:18 p.m. UTC
I remember when the NSA came out with their own public version of linux "hey install this" and now the vista hardening guide is a msi installer rather then a doc. color me paranoid. Great article however, I'm book marking the router and switch guides.
October 31, 2008 at 5:11 p.m. UTC
I have used them for years. The NSA guides are very well done.
November 9, 2008 at 11:09 p.m. UTC
good updates, and good links for usefull n/w resources. Bookmarked :)
November 12, 2008 at 1:58 a.m. UTC
I use them daily as I work for a government contractor. Even if you dont, its a MUST have guide to make sure your devices are hardend.
November 13, 2008 at 9:51 p.m. UTC
On the page 75:
"Three ICMP messages are commonly used by attackers for network mapping and diagnosis: ‘Host unreachable’, ‘Redirect’, and ‘Mask Reply’. Automatic generation of these messages should be disabled on all interfaces, especially interfaces that are connected to untrusted networks. The example below shows how to turn them off for an interface."
Central# config t Enter configuration commands, one per line. End with CNTL/Z. Central(config)# interface eth 0/0 Central(config-if)# no ip unreachables
As you've already mentioned, one should be very carefully with recommendation to always disable ICMP unreachable, as it breaks PMTUD.
November 3, 2011 at 10:48 a.m. UTC
Came across this article in the "3-Year Replay" feed, and wanted to add some updated information, in case anyone else stumbles across it too.
The NSA configuration guides are getting a little ... "long-in-the-tooth" at this point. The last update was dated December 15, 2005. Obviously, in the 6 years since then, there have been significant advances in router security technologies (and practices).
One of the best guides available (for free) is the Cisco doc that Stretch mentioned. Cisco has continued to update and refine their "Guide To Harden Cisco IOS Devices". It was updated as recently as June 7, 2011. They've added links to additional references, and even a checklist at the end. It's well worth the time to read and understand as much as you can.
It also looks like they maintain a similar guide for IOS-XR devices. I don't generally work with the platform, but it might be useful if you do:
The NSA guide is old. The Cisco guide is actively maintained, and just better. Go with the Cisco guide.
April 19, 2016 at 6:29 a.m. UTC