Cisco AutoSecure Feature [Routers – Management Plane]

Let’s break it down, I heard about this feature not too long ago and just wanted to take the time to take a look at it and see what is it all about. In the mean time, I’m rebuilding all my U VMs because I created a new topology (CCIE Collaboration LAB on November 26th), but more on that later.
Network needs to be secured, that is what we keep hearing from customers/clients everywhere, and why not make it easier to use and apply.

Looking at the following link to get a bit more of information on the topic:
http://www.cisco.com/c/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_white_paper09186a00801dbf61.html

In case you need to determine if your device supports this feature make sure to take a look at the Cisco Feature Navigator and look up by Feature:
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

**We will be looking at the configuration from a router perspective

What Cisco AutoSecure Does?
Cisco AutoSecure looks to address to secure your Management and Forwarding Plane of your device.
Basically it disables services that are often not used, insecure interfaces and administrative access. It also enables CEF (Cisco Express Forwarding)

What are AutoSecure Modes?
Based on the With paper AutoSecure supports interactive and non-interactive modes… So what does that mean?
Just at it sounds, Interactive mode prompts the user on a different sets of options and the user selects what he/she considers is a good idea to have in order to secure the device. Non-intercative mode is a default set mode based on best practices.

Now lets look at the syntax and play a bit with Interactive Mode a bit:
From EXEC mode on your router type:


 R1#auto secure ?
  firewall     AutoSecure Firewall
  forwarding   Secure Forwarding Plane
  full         Interactive full session of AutoSecure
  login        AutoSecure Login
  management   Secure Management Plane
  no-interact  Non-interactive session of AutoSecure
  ntp          AutoSecure NTP
  ssh          AutoSecure SSH

Lets play with the Management first and see what is all that about:
On this command I just hit enter when it asked me if my router was connected to the Internet, the default was no:


R1#auto secure management full
        --- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

The system shows different disabled services and it encourages you to create a login Banner, a good practice that I have seen very smart Engineers use. Here is the result or the services disabled:


Securing Management plane services...


Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server
Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.


Authorized Access only
  This system is the property of So-&-So-Enterprise.
  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
  You must have explicit permission to access this
  device. All activities performed on this device
  are logged. Any violations of access policy will result
  in disciplinary action.

Enter the security banner {Put the banner between
k and k, where k is any character}:

After you finish dealing with this part it will ask you to create a new Enable Secret


Enter the new enable secret:
Confirm the enable secret :

We noticed that the Enable secret has a password complexity, the old Cisco123 is not liked by the new AutoSecure, lets come up with a more secure one:


Enter the new enable secret:
Confirm the enable secret :
Enable password is not configured or its length
is less than minimum no. of characters configured
Enter the new enable password:
Confirm the enable password:

Now after you enter the Enable Secret it will ask you more questions, it will ask you about the Admin user of the router, the maximum time the console/TTY lines will be inactive if it detects a login attack is occurring, the timeout of inactivity. SSH, a hostname and a domain name.


Configuration of local user database
Enter the username: admin
Enter the password:
Confirm the password:
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 10

Maximum Login failures with the device: 10

Maximum time period for crossing the failed login attempts: 10

Configure SSH server? [yes]: yes
Enter the hostname: r1-autosecure
Enter the domain-name: collabengineer.com

This is what happens when if starts building the configuration:


Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
Disabling mop on Ethernet interfaces

This is the configuration generated:


no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CThis system is the property of So-&-So-Enterprise.
  UNAUT
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$I8Xj$VlmBfjtLbbiYzle9ASnFS0
enable password 7 12361716010E0A0A0A7A
username admin password 7 10611B18161214052C55
aaa new-model
aaa authentication login local_auth local
line con 0
 login authentication local_auth
 exec-timeout 5 0
transport output telnet
line aux 0
 login authentication local_auth
 exec-timeout 10 0
 transport output telnet
line vty 0 4
 login authentication local_auth
 transport input telnet
login block-for 10 attempts 10 within 10
hostname r1-autosecure
ip domain-name collabengineer.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
 transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
interface FastEthernet0/1
 no ip redirects
 no ip proxy-arp
 no ip unreachables
 no ip directed-broadcast
 no ip mask-reply
 no mop enabled
!
end

Apply this configuration to running-config? [yes]:

And is very kind to ask you if you want to apply the configuration…

Applying the config generated to running-config


R1#
*Mar  1 00:19:51.415: %AUTOSEC-5-ENABLED: AutoSecure is configured on the device
R1#

Now, as a very useful command on the router we just applied AutoSecure, you can use the following:

R1#sh auto secure config

I hope this gives you ideas on how to use this nice feature, from any routers you can go ahead and run AutoSecure for the following:


R1#auto secure ?
  firewall     AutoSecure Firewall
  forwarding   Secure Forwarding Plane
  full         Interactive full session of AutoSecure
  login        AutoSecure Login
  management   Secure Management Plane
  no-interact  Non-interactive session of AutoSecure
  ntp          AutoSecure NTP
  ssh          AutoSecure SSH
  <cr>

Thank you

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s