Last month Cisco announced a Cisco IOS TCP Denial of Service Vulnerability. What is more notable than the vulnerability itself (limited only to release 15.1(2)T and concerning the TCP state table being “stuck” in SYNSENT or SYNRCVD states) is the reference cited as a guide for hardening of the IOS on the router.
Immediately upon downloading the pdf officially entitled “Cisco Guide to Harden IOS Devices”, you’ll realize that this is a 60+ page document! The guide opens with a brief introduction to secure operations, necessary because of all the network-layer devices on which security is implemented. (The router has the weakest defaults; no access-controls for packet throughput, unrestricted access to management ports, etc.). Since security appliances such as the ASA and the IPS sensor are hardened by default, many of the recommendations stated in this guide are not relevant to these devices.
The notes regarding authentication, authorization, and accounting (AAA) along with centralized log management are excellent recommendations for many organizations today who find themselves accountable to auditing requirements (PCI-DSS, COBIT, etc). The introduction concludes with the importance of configuration management.
The remainder of the document outlines in considerable detail the three components of Network Foundation Protection, a concept covered in the Securing Networks with Routers and Switches (SNRS) training class:
- Management Plane: ensuring the router is being managed securely (passwords, authentication, encryption, limited IP-based access w ACLs)
- Control Plane: preventing CPU overload via denial-of-service by setting thresholds, securing routing protocols and limiting receipt of certain message types
- Data Plane: setting up transit access-control lists, anti-spoofing protection and preventing “poisoning” attacks by using port security, PACLs (port access-lists), ARP inspection and other techniques
At the end of the document is a brief discussion of NetFlow, which, when optimally used can provide not only an accurate profile of router traffic flow statistics but also indicate network anomalies. An earlier article was written about the various versions of NetFlow among Cisco devices. While the Cisco MARS appliance is an excellent NetFlow collector, it is limited to NetFlow versions 5 and 7. Both of these are well-supported on the router while the ASA only supports the newer Netflow version 9.
Author: Doug McKillip