-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
- TACACS+
-
RADIUS
-
RADIUS and TACACS+ Attributes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
- TACACS+ Attributes
-
RADIUS Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
- User Security Configuration
-
Table Of Contents
Configuring Additional Security
Configuration Examples for AutoSecure
AutoSecure Configuration Dialogue: Example
Feature Information for AutoSecure
AutoSecure
First Published: September 27, 2007Last Updated: October 14, 2009The AutoSecure feature uses a single CLI command to disable common IP services that can be exploited for network attacks, enable IP services and features that can aid in the defense of a network when under attack, and simplify and harden the security configuration on the router.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for AutoSecure" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Configuration Examples for AutoSecure
•
Restrictions for AutoSecure
The AutoSecure feature should be used in a test environment and not in production networks.
Information About AutoSecure
To configure the AutoSecure feature, you should understand the following concepts:
Benefits of AutoSecure
Simplified Router Security Configuration
AutoSecure is valuable to customers without special Security Operations Applications because it allows them to quickly secure their network without thorough knowledge of all the Cisco IOS features.
This feature eliminates the complexity of securing a router by creating a new CLI that automates the configuration of security features and disables certain features enabled by default that could be exploited for security holes.
Enhanced Password Security
AutoSecure provides the following mechanisms to enhance security access to the router:
•
To configure a minimum password length, use the security passwords min-length command.
•
To configure the number of allowable unsuccessful login attempts (the threshold rate), use the security passwords min-length command.
Roll-Back and System Logging Message Support
In Cisco IOS Release 12.3(8)T, support for roll-back of the AutoSecure configuration is introduced. Roll-back enables a router to revert back to its preautosecure configuration state if the AutoSecure configuration fails.
Note
System Logging Messages capture any changes or tampering of the AutoSecure configuration that were applied on the running configuration. That is, more detailed audit trail information is provided when autosecure is executed.
Secure Management Plane
Securing the management plane is one of two focus areas for the AutoSecure feature. (The other focus area is described in the following section, "Secure Forwarding Plane.") Securing the management plane is done by turning off certain global and interface services that can be potentially exploited for security attacks and turning on global services that help mitigate the threat of attacks. Secure access and secure logging are also configured for the router.
Caution
The following subsections define how AutoSecure helps to secure the management plane:
•
Disable Global Services
After enabling this feature (via the auto secure command), the following global services will be disabled on the router without prompting the user:
•
•
•
•
•
Note
•
•
Caution
•
•
Disable Per Interface Services
After enabling this feature, the following per interface services will be disabled on the router without prompting the user:
•
•
•
•
•
•
Enable Global Services
After enabling this feature, the following global services will be enabled on the router without prompting the user:
•
•
Secure Access to the Router
Caution
After enabling this feature, the following options in which to secure access to the router are available to the user:
•
Authorized access onlyThis system is the property of ABC EnterpriseDisconnect IMMEDIATELY if you are not an authorized user!Contact abc@xyz.com +99 876 543210 for help.•
•
•
–
–
Note
•
Log for Security
After this feature is enabled, the following logging options, which allow you to identify and respond to security incidents, are available:
•
•
For more information on login system messages, see the Cisco IOS Release 12.3(4)T feature module Cisco IOS Login Enhancements.
•
•
•
Secure Forwarding Plane
To minimize the risk of attacks on the router forward plane, AutoSecure provides the following functions:
•
Note
•
•
•
Note
How to Configure AutoSecure
This section contains the following procedures:
•
•
•
Configuring AutoSecure
To configure AutoSecure, you must perform the following tasks.
The auto secure Command
The auto secure command takes you through a semi-interactive session (also known as the AutoSecure dialogue) to secure the management and forwarding planes. This command gives you the option to secure just the management or the forwarding plane; if neither option is selected, the dialogue will ask you to configure both planes.
This command also allows you to go through all noninteractive configuration portions of the dialogue before the interactive portions. The noninteractive portions of the dialogue can be enabled by selecting the optional no-interact keyword.
Caution
Restrictions
The AutoSecure configuration can be configured at run time or setup time. If any related configuration is modified after AutoSecure has been enabled, the AutoSecure configuration may not be fully effective.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuring Additional Security
Perform the following task to enable enhanced security access to your router.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Verifying AutoSecure
To verify that the AutoSecure feature is working successfully, perform the following optional steps:
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for AutoSecure
This section provides the following configuration example:
•
AutoSecure Configuration Dialogue: Example
The following example is a sample AutoSecure dialogue. After you enable the auto secure command, the feature will automatically prompt you with a similar dialogue unless you enable the no-interact keyword. (For information on which services are disabled and which features are enabled, see the sections, "Secure Management Plane" and "Secure Forwarding Plane" earlier in this document.)
Router# auto secure--- AutoSecure Configuration ---*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecureIs this router connected to internet? [no]:yEnter the number of interfaces facing internet [1]:Interface IP-Address OK? Method StatusProtocolFastEthernet0/1 10.1.1.1 YES NVRAM up downFastEthernet1/0 10.2.2.2 YES NVRAM up downFastEthernet1/1 10.0.0.1 YES NVRAM up upLoopback0 unassigned YES NVRAM up upFastEthernet0/0 10.0.0.2 YES NVRAM up downEnter the interface name that is facing internet:FastEthernet0/0Securing Management plane services..Disabling service fingerDisabling service padDisabling udp & tcp small serversEnabling service password encryptionEnabling service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp protocolDisabling the bootp serverDisabling the http serverDisabling the finger serviceDisabling source routingDisabling gratuitous arpEnable secret is either not configured or is same as enable passwordEnter the new enable secret:abc123Configuring aaa local authenticationConfiguring console, Aux and vty lines forlocal authentication, exec-timeout, transportConfigure SSH server? [yes]:Enter the domain-name:example.comConfiguring interface specific AutoSecure servicesDisabling the following ip services on all interfaces:no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyDisabling mop on Ethernet interfacesSecuring Forwarding plane services..Enabling CEF (it might have more memory requirements on some low endplatforms)Enabling unicast rpf on all interfaces connected to internetConfigure CBAC Firewall feature? [yes/no]:yesThis is the configuration generated:no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdsecurity passwords min-length 6security authentication failure rate 10 logenable secret 5 $1$CZ6G$GkGOnHdNJCO3CjNHHyTUA.aaa new-modelaaa authentication login local_auth localline console 0login authentication local_authexec-timeout 5 0transport output telnetline aux 0login authentication local_authexec-timeout 10 0transport output telnetline vty 0 4login authentication local_authtransport input telnetip domain-name example.comcrypto key generate rsa general-keys modulus 1024ip ssh time-out 60ip ssh authentication-retries 2line vty 0 4transport input ssh telnetservice timestamps debug datetime localtime show-timezone msecservice timestamps log datetime localtime show-timezone mseclogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedint FastEthernet0/1no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabledint FastEthernet1/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabledint FastEthernet1/1no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabledint FastEthernet0/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabledip cefinterface FastEthernet0/0ip verify unicast reverse-pathip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600access-list 100 deny ip any anyinterface FastEthernet0/0ip inspect autosec_inspect outip access-group 100 in!endApply this configuration to running-config? [yes]:yesApplying the config generated to running-configThe name for the keys will be:ios210.example.com% The key modulus size is 1024 bits% Generating 1024 bit RSA keys ...[OK]Router#Additional References
The following sections provide references related to the AutoSecure feature.
Related Documents
Login functionality (such as login delays and login blocking periods)
"Cisco IOS Login Enhancements" feature module
Additional information regarding router configuration
Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.4T
Additional router configuration commands
Cisco IOS Configuration Fundamentals Command Reference Guide
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
RFC 1918
Address Allocation for Private Internets
RFC 2267
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
Technical Assistance
Feature Information for AutoSecure
Table 1 lists the features in this module and provides links to specific configuration information.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.
