[ NOTE: Version 2.1 is an update to the 2.0 version, and includes many enhancements suggested by the Cisco user community as well as employees of Cisco. I want to thank everyone who took the time to review this template and suggest changes. The response was amazing, and I continue to receive about 1000 downloads of this document per week. ]
Changes in version 2.1:
One of the challenges of any network is how to mitigate, if not deny, the various attacks launched daily on the Internet. While blocking the script kiddies and their attempts to gain root or scan a subnet is one challenge, a greater challenge has been to mitigate the DDOS attacks. While nothing is foolproof, layers of protection can be applied to the problem.
Taking a holistic view of the challenge led to the creation of the layered approach. In this approach, the following philosophies are applied:
1) The border router provides for protocol protection and defends
itself and the firewall.
2) The firewall provides port protection and defends itself and the
host residing behind it.
3) The end stations are configured to survive various DOS attacks
as well as to reduce the number of noxious services which might
be exploited.
This results in the "funnel effect," wherein progressively less nasty traffic comes through the overall pipe. The network is "crunchy through and through," not just at the edges.
The purpose of this document is to introduce the first wall of defense, the router. The attached template provides a work in progress towards the goal of a secure border device.
The Cisco Secure IOS Configuration Template is simply a template, or a starting point. Individual sites will need to modify the template to varying degrees. For example, the template does not include any routing protocol information. This would make the template far too large and specific. Although one could argue that a BGP configuration would meet the needs of a great many border routers, it was decided to shelve that piece for another template. You may view my Secure Cisco BGP Configuration Template here. As with all templates, your mileage may vary.
The template has undergone a trial by fire, protecting various sites. In one case, a modified version of this template protects a site that endures upwards of 10000 attacks per day. The template has weathered the storm well, although not without some real time modification. As the instruments and methods of the malcontents change, so do the attack styles. However, this template has yet to fail, and the sites behind it have remained on-line throughout attacks of moderate to great intensity.
Clearly, hardware counts. A 2501 with this template will not provide much in the way of protection, and certain features of this template will not work on the lower tier of Cisco routing products. The template was written with a Cisco 7000 or greater model in mind. The IOS level for this template should be 12 or one of the 12 sub-releases, e.g. 12.0.9.
This template is not a panacea. It will not stop all attack types. It is simply a part of a larger design. Remember the layered approach.
As noted, the template must be modified to fit the environment. Obviously such things as IP addresses and routes must be changed. How ever, there are other decisions to be made. The IP address of the FTP, TACACS+, and syslog servers must be noted, for example.
One of the most important decisions to be made is in regards to TCP Intercept. While TCP Intercept has proven, on high-end Cisco gear, to be a robust SYN defense, it will not work in environments where there exists more than one path into the protected networks. A network that peers (BGP) with more than one provider and has more than a single router is one such example. However, it is possible that the network to be protected has a single router (or a single PRIMARY router), which assures a symmetric data flow.
Enabling the anti-spoofing feature of CEF (reverse-path) is another thorny issue for those with the potential for asymmetric data flows. In this case, ACLs should be used for anti-spoofing protection. Both options are provided in the template.
Determining the proper CAR limits for ICMP and UDP is quite site specific. While some defaults have been placed in the configuration, it is best to size the pipe and modify the limits accordingly. It is difficult to model a situation where ICMP should be allowed more than 575Kb/s of bandwidth, however your mileage may vary.
If TCP Intercept is enabled, two concerns come to the fore.
First, do not use black hole routes. TCP Intercept is coded to handle a SYN/ACK or RST, not silence. A simple DOS is possible if the router proxies the TCP sockets and no one is there to answer the call on the other side.
Second, when paired with a firewall, ensure that the firewall will issue a RST for denied services. The same reasoning as noted above applies here.
As with all things, test test test. Do not deploy a configuration without thoroughly testing it in a non-production environment. If you do not understand the commands or the accompanying comments, do not utilize them. You may find yourself in a sticky debugging session at some point, so complete understanding of the configuration is highly recommended.
This is a work in progress, and feedback from those who use the template, have their own bag of tricks, or endure malicious attacks is most welcome! If you have questions, I will do my best to answer them and assist you. Please route all commentary and questions to robt@cymru.com.
I hope you find this helpful in your effort to fend off the Internet vandals!
The commands are in BOLD text so that they stand out from the surrounding comments.
! Secure router configuration template.
! Version 2.0
! @(#)Secure IOS template v2.0 23 May 2000 Rob Thomas robt@cymru.com
! @(#)http://www.cymru.com/~robt/Docs/Articles/secure-ios-template.html
!
! This configuration assumes the following topology:
!
! Upstream/Internet
! 5.5.5.1/24
! |
! 5.5.5.254/24 (Ethernet 2/0)
! THIS ROUTER
! 6.6.6.254/24 (Ethernet 2/1)
! |
! 6.6.6.1/24
! Firewall
! 7.7.7.1/24
! |
! 7.7.7.0/24
! Intranet
!
! In this case, 7.7.7.5 is the loghost, FTP server, etc.
! for the router. It could also be the firewall if
! circumstances dictate.
!
! 14 June 2000 - Added more bogon networks to the filters
! and changed the black hole gateway from null0 to loopback0
! to improve router performance.
!
version 12.0
service nagle
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname secure-router01
!
boot system flash slot0:rsp-jsv-mz.120-9.bin
logging buffered 16384 debugging
no logging console
enable secret
!
! Use TACACS+ for AAA. Ensure that the local account is
! case-sensitive, thus making brute-force attacks less
! effective.
aaa new-model
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ local-case
aaa authorization commands 15 default group tacacs+ local-case
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default stop-only group tacacs+
tacacs-server host 7.7.7.5
tacacs-server key cheezit
!
! In the event that TACACS+ fails, use case-sensitve local
! authentication instead. Keeps the hackers guessing, and
! the router more secure.
username <USERNAME> password <PASSWORD>
!
! Export our NetFlow data to our NetFlow server, 7.7.7.5. NetFlow
! provides some statistics that can be of use when tracing the true
! source of a spoofed attack.
ip flow-export source ethernet 2/1
ip flow-export destination 7.7.7.5 2055
ip flow-export version 5 origin-as
!
! Allow us to use the low subnet and go classless
ip subnet-zero
ip classless
!
! IDENT (RFC 1413) is an easily manipulated and spoofed protocol.
! Still, it does provide some useful information at times. Your
! mileage may vary.
ip ident
!
! Disable noxious services
no ip source-route
no ip finger
no ip bootp server
no ip domain-lookup
!
! Enable TCP Intercept to protect against SYN flooding.
ip tcp intercept list 120
! Watch the "flow" for only 60 seconds (not the default
! 24 hours).
ip tcp intercept connection-timeout 60
! Keep half-open sockets only 10 seconds.
ip tcp intercept watch-timeout 10
! Set the low water mark to 1500 active opens per minute.
ip tcp intercept one-minute low 1500
! Set the high water mark to 6000 active opens per minute.
ip tcp intercept one-minute high 6000
!
! Catch crash dumps; very important with a "security router."
ip ftp username rooter
ip ftp password
exception dump 7.7.7.5
! Fire up CEF for both performance and security.
ip cef
! Set the timezone properly.
clock timezone CST -6
clock summer-time CDT recurring
!
! Configure loopback0 as a place to send naughty packets. This
! becomes the "roach motel" for packets -- they can route in,
! but they can't route out.
interface loopback0
! Unlike the null device, we must have an IP address. Select one that is
! unused in your environment (unless required for BGP, etc.).
ip address 10.10.10.10 255.255.255.255
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no cdp enable
!
interface Ethernet2/0
description Unprotected interface, facing towards Internet
ip address 5.5.5.254 255.255.255.0
! Do we run CEF verify? Yes if the data path is symmetric. No
! if the data path is asymmetric.
ip verify unicast reverse-path
! Apply our template ACL
ip access-group 110 in
! Allow UDP to occupy no more than 2 Mb/s of the pipe.
rate-limit input access-group 150 1000000 1500000 2000000 conform-action transmit exceed-action drop
! Allow ICMP to occupy no more than 575 Kb/s of the pipe.
rate-limit input access-group 160 496000 550000 575000 conform-action transmit exceed-action drop
! Don't send redirects.
no ip redirects
! Don't send unreachables.
no ip unreachables
! Don't propogate smurf attacks.
no ip directed-broadcast
! Don't pretend to be something you're not. :-)
no ip proxy-arp
! Do not reveal our netmask
no ip mask-reply
! Log all naughty business.
ip accounting access-violations
! Keep flow data for analysis. If possible, export it to a
! cflowd server.
ip route-cache flow
! Keep mum about our configuration, etc.
no cdp enable
!
interface Ethernet2/1
description Protected interface, facing towards DMZ
ip address 6.6.6.254 255.255.255.0
! Do we run CEF verify? Yes if the data path is symmetric. No
! if the data path is asymmetric.
ip verify unicast reverse-path
! If we are using RPF, comment out the ACL below.
ip access-group 115 in
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip mask-reply
ip route-cache flow
no cdp enable
!
ip classless
! Default route to the Internet (could be a routing
! protocol instead)
ip route 0.0.0.0 0.0.0.0 5.5.5.1
! Route to network on the other side of the firewall
ip route 7.7.7.0 255.255.255.0 6.6.6.1
! Black hole routes. Be VERY careful about enabling these
! when running TCP Intercept.
ip route 1.0.0.0 255.0.0.0 loopback0
ip route 2.0.0.0 255.0.0.0 loopback0
ip route 10.0.0.0 255.0.0.0 loopback0
ip route 192.168.0.0 255.255.0.0 loopback0
ip route 172.16.0.0 255.240.0.0 loopback0
ip route 192.0.2.0 255.255.255.0 loopback0
ip route 169.254.0.0 255.255.0.0 loopback0
!
! Log anything interesting to the loghost. Capture all of
! the logging output with FACILITY LOCAL5.
logging trap debugging
logging facility local5
logging 7.7.7.5
! With the ACLs, it is important to log the naughty folks.
! Thus, the implicit drop all ACL is replaced (augmented,
! actually) with an explicit drop all that logs the attempt.
! Block access to all but the loghost and the firewall
access-list 10 permit 7.7.7.5
access-list 10 permit 6.6.6.1
access-list 10 deny any log
!
! Leave one VTY safe for access, just in case. The host
! 7.7.7.8 is a secure host in the NOC. If all the VTYs are
! occupied, this leaves one VTP available.
access-list 15 permit 7.7.7.8
access-list 15 deny any log
!
! Block SNMP access to all but the loghost
access-list 20 permit 7.7.7.5
access-list 20 deny any log
!
! Deny any packets from the RFC 1918, IANA reserved, test,
! multicast as a source, and loopback netblocks to block
! attacks from commonly spoofed IP addresses.
! All zero, all one
access-list 110 deny ip 0.0.0.0 0.255.255.255 any log-input
access-list 110 deny ip host 255.255.255.255 any log-input
! Claims it came from the inside network, yet arrives on the
! outside (read: Internet) interface. Do not use this if CEF
! has been configured to take care of spoofing.
! access-list 110 deny ip 6.6.6.0 0.0.0.255 any log-input
! access-list 110 deny ip 7.7.7.0 0.0.0.255 any log-input
! IANA reserved
access-list 110 deny ip 1.0.0.0 0.255.255.255 any log-input
access-list 110 deny ip 2.0.0.0 0.255.255.255 any log-input
! Loopback
access-list 110 deny ip 127.0.0.0 0.255.255.255 any log-input
! RFC 1918
access-list 110 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 110 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 110 deny ip 172.16.0.0 0.15.255.255 any log-input
! Link local reserved
access-list 110 deny ip 169.254.0.0 0.0.255.255 any log-input
! IANA example network
access-list 110 deny ip 192.0.2.0 0.0.0.255 any log-input
! Multicast
access-list 110 deny ip 224.0.0.0 15.255.255.255 any log-input
! Experimental
access-list 110 deny ip 240.0.0.0 15.255.255.255 any log-input
! Allow IP access to the intranet (firewall filters specific ports)
access-list 110 permit ip any 7.7.7.0 0.0.0.255
! Our explicit (read: logged) drop all rule
access-list 110 deny ip any any log-input
!
! Configure an ACL that prevents spoofing from within our network.
! This ACL assumes that we need to access the Internet only from the
! 7.7.7.0/24 network. If you have additional networks behind
! 7.7.7.0/24, then add them into this ACL.
! First, allow our intranet to access the Internet.
access-list 115 permit ip 7.7.7.0 0.0.0.255 any
! Second, allow our firewall to access the Internet. This is useful
! for testing.
access-list 115 permit ip host 6.6.6.1 any
! Now log all other such attempts.
access-list 115 deny ip any any log-input
!
! Configure an ACL for TCP Intercept. This will protect the
! hosts on the intranet (e.g. web servers) from SYN floods.
access-list 120 permit tcp any 7.7.7.0 0.0.0.255
!
! Rate limit (CAR) ACLs for UDP and ICMP.
access-list 150 permit udp any any
access-list 160 permit icmp any any
!
! Again, be quiet.
no cdp run
! SNMP is VERY important, particularly with MRTG.
snmp-server community
! Introduce ourselves with an appropriately stern banner.
banner motd %
Router foo. Unauthorized access to this device or the attached
networks is prohibited without express written permission.
Violators will be prosecuted to the fullest extent of both civil
and criminal law.
We don't like you. Go away.
%
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 3
! Enable SSH connectivity. This is much more secure than telnet.
! Obviously, you must have an IOS image that supports SSH, and don't
! forget to generate the key with crypto key generate rsa.
transport input telnet ssh
access-class 10 in
line vty 4
transport input telnet ssh
access-class 15 in
!
! END
[ Articles ] [ Documents ] [ Home ]
Rob Thomas, robt@cymru.com, http://www.cymru.com/~robt