Lab 5.

2 Securing a Router with Cisco AutoSecure

Learning Objectives
• Implement Cisco AutoSecure on a router

Topology Diagram

Scenario

In this scenario, you will configure Cisco AutoSecure on a router. AutoSecure is

a built-in tool in the Cisco IOS that uses a predefined set of commands for
securing the router based on questions answered by the network administrator.
The AutoSecure command set resembles some of the commands implemented
by Cisco Service Device Manager (SDM) one-step lockdown in Lab 5.1.

Step 1: Configure the Physical Interface

Configure the R1 physical interface using the IP address shown in the topology
diagram. You can force the interface into an “always up” state using the
interface-level no keepalive command. Then use the no shutdown command
to bring the interface up. Because you disabled keepalives, the interface status
will display as link state (Layer 1) and line protocols state (Layer 2) “up,” even if
it is not connected to an external device.
R1(config)# interface fastethernet0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# no keepalive
R1(config-if)# no shutdown

Normally, you would not use the no keepalive command on a routed interface.

Step 2: Configure AutoSecure

At the privileged EXEC prompt, issue the auto secure command to start
AutoSecure. You may notice that this command is hidden from the Cisco IOS
in-line help system. It is hidden because AutoSecure can lock out network

1-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 administrators if executed by a user who has gained unauthorized access to a
router. AutoSecure is a command-line wizard that enables a set of features in
the router’s configuration. Its function is similar to SDM one-step lockdown;
however, its functionality is text-based and more interactive.
R1# auto secure
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Use the default of no to answer the question “Is this router connected to
internet?” To enter in a default (the value in the square brackets), press Enter
on your keyboard. After Enter is pressed, AutoSecure executes some
prepackaged security precaution commands. These are commands that disable
services that are typically not needed. AutoSecure also enables several
security features.
Is this router connected to internet? [no]: no

Securing Management plane services...

Disabling service finger

Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
Enabling service tcp-keepalives-out
Disabling the cdp protocol

Disabling the bootp server

Disabling the http server
Disabling the finger service
Disabling source routing
Disabling gratuitous arp

What is the function of each of the following system services and IP servers?

1. Finger

2. TCP small servers

2-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 3. UDP small servers

4. Password encryption

5. TCP keepalives

6. CDP

7. BOOTP Server

8. HTTP Server

9. Gratuitous ARP

The following prompt appears, requesting that you create a security banner:
Here is a sample Security Banner to be shown
at every access to device. Modify it to suit your
enterprise requirements.

Authorized Access only

This system is the property of So-&-So-Enterprise.
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged. Any violations of access policy will result
in disciplinary action.

Enter the security banner {Put the banner between

k and k, where k is any character}:
~CCNP Router
UNAUTHORIZED ACCESS PROHIBITED~

What should your security banner emphasize and why?

To create a security banner, you need to enter a delimiting character, followed

by your message, followed by the delimiting character. The character must be a
character that your message will not contain. Once this character is found again

3-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 in the field, the message context will terminate. In the example below, the tilde
character (~) is used as the delimiter.

If you have not previously configured enable passwords and enable secrets, or
if both the enable pass and the enable secret password are the same,
AutoSecure will force you to create them. AutoSecure also enforces a 6-
character minimum length on passwords, so create them based on that
requirement. This lab will use “password” for the enable password and “secret”
for the enable secret to meet the minimum length practices.
Enable secret is either not configured or
is the same as enable password
Enter the new enable secret: secret
Confirm the enable secret : secret
Enter the new enable password: password
Confirm the enable password: password

Create a new user in the local user database, because AutoSecure enables
AAA and uses local authentication. Use a username and password of
“ciscouser”.
Configuration of local user database
Enter the username: ciscouser
Enter the password: ciscouser
Confirm the password: ciscouser
Configuring AAA local authentication
Configuring Console, Aux and VTY lines for
local authentication, exec-timeout, and transport

The router will also enable some login enhancements, which it will need some
parameters for. Use a blocking period of 10 seconds, a maximum failure
number of 5, and a maximum time period for crossing failed login attempts of
10.
Securing device against Login Attacks
Configure the following parameters

Blocking Period when Login Attack detected: 10

Maximum Login failures with the device: 5

Maximum time period for crossing the failed login attempts: 10

The router will configure a Secure Shell (SSH) server, which will require a
domain name. Use “cisco.com” as the domain name.
Configure SSH server? [yes]: yes
Enter the domain-name: cisco.com

Why does AutoSecure enable Secure Shell?

4-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 AutoSecure disables some unneeded or potentially vulnerable services on each
physical interface. You are prompted to enable Context-Based Access Control
and TCP intercept. For this lab, type no to not configure these services.
Configuring interface specific AutoSecure services
Disabling the following ip services on all interfaces:

no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling CEF (This might impact the memory requirements for your platform)
Enabling unicast rpf on all interfaces connected
to internet

Configure CBAC Firewall feature? [yes/no]: no

Tcp intercept feature is used prevent tcp syn attack
on the servers in the network. Create autosec_tcp_intercept_list
to form the list of servers to which the tcp traffic is to
be observed

Enable tcp intercept feature? [yes/no]: no

From your reading, what function does “enabling unicast rpf on all interfaces
connected to the internet” serve?

The last step AutoSecure does is verify the configuration that it is going to add.
After AutoSecure shows you the running configuration it has generated,
AutoSecure asks you to verify that you want to apply the running configuration.
Use the default of yes.
This is the configuration generated:

no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server

5-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 no ip finger
no ip source-route
no ip gratuitous-arps
no ip identd
banner motd ^CCCNP Router
UNAUTHORIZED ACCESS PROHIBITED^C
security passwords min-length 6
security authentication failure rate 10 log
enable secret 5 $1$d7wX$kb5JYyFOQmSRWVpW8iitA.
enable password 7 095C4F1A0A1218000F
username ciscouser password 7 02050D4808091A32495C
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet
line tty 1
login authentication local_auth
exec-timeout 15 0
login block-for 10 attempts 5 within 10
ip domain-name cisco.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface FastEthernet0/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
no mop enabled
interface Serial0/0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/0/1
no ip redirects

6-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
interface Serial0/1/1
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
ip cef
access-list 100 permit udp any any eq bootpc
!
end

When the router asks you to accept this configuration so it can be applied to the
router, answer yes.
Apply this configuration to running-config? [yes]: yes

Applying the config generated to running-config

The name for the keys will be: R1.cisco.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

*Feb 6 01:03:52.694: %SSH-5-ENABLED: SSH 1.99 has been enabled

*Feb 6 01:03:57.250 UTC: %AUTOSEC-1-MODIFIED: AutoSecure configuration has
been Modified on this device

How does the router generate the name for the public crypto keys shown in the
preceding configuration text?

Final Configuration
R1# show run
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical

7-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc
 enable secret 5 $1$d7wX$kb5JYyFOQmSRWVpW8iitA.
enable password 7 095C4F1A0A1218000F
!
aaa new-model
!
aaa authentication login local_auth local
!
no ip source-route
no ip gratuitous-arps
!
ip cef
!
no ip bootp server
ip domain name cisco.com
ip ssh time-out 60
ip ssh authentication-retries 2
login block-for 10 attempts 5 within 10
!
username ciscouser password 7 02050D4808091A32495C
archive
log config
logging enable
!
interface FastEthernet0/0
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no keepalive
no mop enabled
no shutdown
!
no ip http server
no ip http secure-server
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
banner motd ^CCCNP Router
UNAUTHORIZED ACCESS PROHIBITED^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
end

8-8 CCNP: Implementing Secure Converged Wide-area Networks v5.0 - Lab 5-2 Copyright © 2007, Cisco Systems, Inc