Friday, December 5, 2008
1. Reverse Path Forwarding
When you enable Reverse Path Forwarding (RPF) on an interface, the router will check with a lookup in the FIB/CEF table to see that there exists a path back to the source address on the interface on which it receives a packet. This avoids spoofing of packets.
The way to configure reverse path forwarding is like this
Router#configure terminal
Router(config)#interface GigabitEthernet 2/1
Router(config-if)#ip verify unicast reverse-path
2. Silence that port
A lot of networks leak sensitive information on their switchports, this should be a pretty silent switchport.
Switch#configure terminal
Switch(config)#interface GigabitEthernet0/16
Switch(config-if)#no cdp enable
Switch(config-if)#spanning-tree bpdufilter enable
Switch(config-if)#no keepalive
This will supress CDP (Cisco Discovery Protocol), spanning-tree bpdu’s and ethernet keepalives on that interface. In my last post I wrote a little about storm-control and port security.
3. Configure AAA and ACL’s for secure VTY access
VTY’s are for example the telnet connections on Cisco, to configure who should be able to access your switch via telnet just do like this:
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#access-list 80 permit 10.0.0.0 0.0.0.255
Switch(config)#access-list 80 permit 192.168.0.0 0.0.255.255
Switch(config)#line vty 0 15
Switch(config-line)#access-class 80 in
Switch(config-line)#end
Switch#
This will limit VTY access to 10.0.0.0/8 and 192.168.0.0/16, the netmask is a Cisco wildcard mask, troubles figuring them out? Try the wildcard cheat.
If you want to have separate users (will show up in logs) instead of the regular password prompt, you can configure AAA as such:
Switch#configure terminal
Switch(config)#username cisco secret mypassword
Switch(config)#aaa new-model
Switch(config)#aaa authentication login default local
Switch(config)#line vty 0 15
Switch(config-line)#login authentication default
Switch(config-line)#^Z
Switch#
4. Encrypt passwords in Configuration
Do you see this in your configuration?
Switch#show run | include ^username
username admin password 0 mysecret
To enable encryption of passwords just configure
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption
Switch(config)#end
*Mar 4 10:21:10.343: %SYS-5-CONFIG_I: Configured from console by console
Switch#show run | include ^username
username admin password 7 060B1632494D1B1C11
This gives Cisco Type 7 encryption (which, I am sorry to say; is very crackable), but it is at least something.
I like to use ’secret’ instead of ‘password’ which gives MD5 passwords in the configuration file, I am not sure of the difference, but it seems to give me what I want.
5. More secure routing protocols with passive-interface default
A passive interface is an interface which does not send nor receive routing information. Passive-interface default is supported by all routing protocols, and is configured quickly.
router routing-protocol
passive-interface default
no passive-interface interface
Passive-interface default sets all interfaces passive, and no passive-interface activates one interface. I have a more real life configuration example below.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router ospf 1
Router(config-router)#passive-interface default
Router(config-router)#no passive-interface fastEthernet 0/2
Router(config-router)#^Z
Router#
*Mar 4 10:36:17.931: %SYS-5-CONFIG_I: Configured from console by console
This will ensure that OSPF traffic is only exchanged on fastEthernet 0/2.
Labels: CCNA, CISCO, Cisco configure, Cisco IOS, CISCO MARS, Cisco Network, Cisco Router, Cisco Switches