Report Number: C4-040R-02
Router Security
Configuration Guide
Principles and guidance for secure configuration of IP routers,
with detailed instructions for Cisco Systems routers
Router Security Guidance Activity
of the
System and Network Attack Center (SNAC)
Authors:
Vanessa Antoine December 15, 2005
Raymond Bongiorni Version: 1.1c
Anthony Borza
Patricia Bosmajian
Daniel Duesterhaus
Michael Dransfield
Brian Eppinger
Kevin Gallicchio
Stephen Hamilton
James Houser
Andrew Kim
Phyllis Lee
Brian McNamara
Tom Miller
David Opitz
Florence Richburg
Michael Wiacek
Mark Wilson
Neal Ziring
National Security Agency
9800 Savage Rd. Suite 6704
Ft. Meade, MD 20755-6704
,Router Security Configuration Guide
Warnings
This document is only a guide to recommended security settings for Internet Protocol
(IP) routers, particularly routers running Cisco Systems Internet Operating System
(IOS) versions 11.3 through 12.4. It cannot replace well-designed policy or sound
judgment. This guide does not address site-specific configuration issues. Care must
be taken when implementing the security steps specified in this guide. Ensure that
all security steps and procedures chosen from this guide are thoroughly tested and
reviewed prior to imposing them on an operational network.
SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This document is current as of October, 2005. The most recent version of this
document may always be obtained through http://www.nsa.gov/.
Acknowledgements
The authors would like to acknowledge Daniel Duesterhaus, author of the original
NSA “Cisco Router Security Configuration Guide,” and the management and staff of
the Applications and Architectures division for their patience and assistance with the
initial development of this guide. Special thanks also go to Ray Bongiorni for quality
assurance and editorial work, and to Julie Martz and Kathy Jones for proof-reading
assistance. Additional contributors to the guide effort include Andrew Dorsett,
Charles Hall, Scott McKay, and Jeffrey Thomas. Thanks must also be given to the
dozens of professionals outside NSA who made suggestions for the improvement of
this document, especially George Jones, John Stewart, and Joshua Wright.
Trademark Information
Cisco, IOS, and CiscoSecure are registered trademarks of Cisco Systems, Inc. in the
USA and other countries. Windows 2000 and Windows XP are registered trademarks
of Microsoft Corporation in the USA and other countries. All other names are
trademarks or registered trademarks of their respective companies.
Revision History
1.0 Sep 2000 First complete draft, extensive internal review.
1.0b Oct 2000 Revised after review by Ray Bongiorni
1.0f Mar 2001 Second release version: second pre-pub review
1.0g Apr 2001 Third release version: incorporated external feedback.
1.0h Aug 2001 Fourth release version; another QA review.
1.0j Nov 2001 Fifth release version.
1.0 k Mar 2002 Last release of 1.0, another pre-pub review.
1.1 Sep 2002 Major revision and expansion, another pre-pub review
1.1b Dec 2003 Minor revision, corrections, additions, fixed links
1.1c Dec 2005 Updated, fixed inconsistencies, checked links
2 Version 1.1c
, Contents
Contents
Preface 5
1. Introduction 7
1.1. The Roles of Routers in Modern Networks......................................................................7
1.2. Motivations for Providing Router Security Guidance ...................................................... 9
1.3. Typographic and Diagrammatic Conventions Used in this Guide ................................. 10
1.4. Structural Overview ....................................................................................................... 12
2. Background and Review 15
2.1. Review of TCP/IP Networking ...................................................................................... 15
2.2. TCP/IP and the OSI Model ............................................................................................ 17
2.3. Review of IP Routing and IP Architectures ................................................................... 19
2.4. Basic Router Functional Architecture ............................................................................ 24
2.5. Review of Router-Relevant Protocols and Layers ......................................................... 27
2.6. Quick “Review” of Attacks on Routers ......................................................................... 29
2.7. References ...................................................................................................................... 30
3. Router Security Principles and Goals 33
3.1. Protecting the Router Itself ............................................................................................ 33
3.2. Protecting the Network with the Router ......................................................................... 35
3.3. Managing the Router ...................................................................................................... 43
3.4. Security Policy for Routers ............................................................................................ 46
3.5. References ...................................................................................................................... 51
4. Implementing Security on Cisco Routers 54
4.1. Router Access Security .................................................................................................. 55
4.2. Router Network Service Security ................................................................................... 70
4.3. Access Control Lists, Filtering, and Rate Limiting ........................................................ 83
4.4. Routing and Routing Protocols .................................................................................... 102
4.5. Audit and Management ................................................................................................ 139
4.6. Security for Router Network Access Services ............................................................. 175
4.7. Collected References. ................................................................................................... 202
5. Advanced Security Services 204
5.1. Role of the Router in Inter-Network Security .............................................................. 204
5.2. IP Network Security ..................................................................................................... 205
5.3. Using SSH for Remote Administration Security.......................................................... 227
5.4. Using a Cisco Router as a Firewall .............................................................................. 232
5.5. Cisco IOS Intrusion Detection ..................................................................................... 241
5.6. References .................................................................................................................... 247
6. Testing and Security Validation 250
Version 1.1c 3
, Router Security Configuration Guide
6.1. Principles for Router Security Testing .........................................................................250
6.2. Testing Tools................................................................................................................250
6.3. Testing and Security Analysis Techniques...................................................................251
6.4. Using the Router Audit Tool ........................................................................................258
6.5. References ....................................................................................................................261
7. Additional Issues in Router Security 263
7.1. Routing and Switching .................................................................................................263
7.2. IPv6 ..............................................................................................................................265
7.3. ATM and IP Routing ....................................................................................................266
7.4. Multi-Protocol Label Switching (MPLS) .....................................................................267
7.5. IPSec and Dynamic Virtual Private Networks .............................................................268
7.6. Tunneling Protocols and Virtual Network Applications ..............................................269
7.7. IP Quality of Service (QoS) and RSVP ........................................................................270
7.8. Secure DNS ..................................................................................................................271
7.9. References ....................................................................................................................272
8. Appendices 274
8.1. Top Ways to Quickly Improve the Security of a Cisco Router ....................................274
8.2. Application to Ethernet Switches and Related Non-Router Network Hardware ..........280
8.3. Overview of Cisco IOS Versions and Releases ............................................................283
8.4. Glossary of Router Security-related Terms ..................................................................289
9. Additional Resources 295
9.1. Bibliography.................................................................................................................295
9.2. Web Site References ....................................................................................................298
9.3. Tool References ...........................................................................................................300
Index 302
4 Version 1.1c
Router Security
Configuration Guide
Principles and guidance for secure configuration of IP routers,
with detailed instructions for Cisco Systems routers
Router Security Guidance Activity
of the
System and Network Attack Center (SNAC)
Authors:
Vanessa Antoine December 15, 2005
Raymond Bongiorni Version: 1.1c
Anthony Borza
Patricia Bosmajian
Daniel Duesterhaus
Michael Dransfield
Brian Eppinger
Kevin Gallicchio
Stephen Hamilton
James Houser
Andrew Kim
Phyllis Lee
Brian McNamara
Tom Miller
David Opitz
Florence Richburg
Michael Wiacek
Mark Wilson
Neal Ziring
National Security Agency
9800 Savage Rd. Suite 6704
Ft. Meade, MD 20755-6704
,Router Security Configuration Guide
Warnings
This document is only a guide to recommended security settings for Internet Protocol
(IP) routers, particularly routers running Cisco Systems Internet Operating System
(IOS) versions 11.3 through 12.4. It cannot replace well-designed policy or sound
judgment. This guide does not address site-specific configuration issues. Care must
be taken when implementing the security steps specified in this guide. Ensure that
all security steps and procedures chosen from this guide are thoroughly tested and
reviewed prior to imposing them on an operational network.
SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This document is current as of October, 2005. The most recent version of this
document may always be obtained through http://www.nsa.gov/.
Acknowledgements
The authors would like to acknowledge Daniel Duesterhaus, author of the original
NSA “Cisco Router Security Configuration Guide,” and the management and staff of
the Applications and Architectures division for their patience and assistance with the
initial development of this guide. Special thanks also go to Ray Bongiorni for quality
assurance and editorial work, and to Julie Martz and Kathy Jones for proof-reading
assistance. Additional contributors to the guide effort include Andrew Dorsett,
Charles Hall, Scott McKay, and Jeffrey Thomas. Thanks must also be given to the
dozens of professionals outside NSA who made suggestions for the improvement of
this document, especially George Jones, John Stewart, and Joshua Wright.
Trademark Information
Cisco, IOS, and CiscoSecure are registered trademarks of Cisco Systems, Inc. in the
USA and other countries. Windows 2000 and Windows XP are registered trademarks
of Microsoft Corporation in the USA and other countries. All other names are
trademarks or registered trademarks of their respective companies.
Revision History
1.0 Sep 2000 First complete draft, extensive internal review.
1.0b Oct 2000 Revised after review by Ray Bongiorni
1.0f Mar 2001 Second release version: second pre-pub review
1.0g Apr 2001 Third release version: incorporated external feedback.
1.0h Aug 2001 Fourth release version; another QA review.
1.0j Nov 2001 Fifth release version.
1.0 k Mar 2002 Last release of 1.0, another pre-pub review.
1.1 Sep 2002 Major revision and expansion, another pre-pub review
1.1b Dec 2003 Minor revision, corrections, additions, fixed links
1.1c Dec 2005 Updated, fixed inconsistencies, checked links
2 Version 1.1c
, Contents
Contents
Preface 5
1. Introduction 7
1.1. The Roles of Routers in Modern Networks......................................................................7
1.2. Motivations for Providing Router Security Guidance ...................................................... 9
1.3. Typographic and Diagrammatic Conventions Used in this Guide ................................. 10
1.4. Structural Overview ....................................................................................................... 12
2. Background and Review 15
2.1. Review of TCP/IP Networking ...................................................................................... 15
2.2. TCP/IP and the OSI Model ............................................................................................ 17
2.3. Review of IP Routing and IP Architectures ................................................................... 19
2.4. Basic Router Functional Architecture ............................................................................ 24
2.5. Review of Router-Relevant Protocols and Layers ......................................................... 27
2.6. Quick “Review” of Attacks on Routers ......................................................................... 29
2.7. References ...................................................................................................................... 30
3. Router Security Principles and Goals 33
3.1. Protecting the Router Itself ............................................................................................ 33
3.2. Protecting the Network with the Router ......................................................................... 35
3.3. Managing the Router ...................................................................................................... 43
3.4. Security Policy for Routers ............................................................................................ 46
3.5. References ...................................................................................................................... 51
4. Implementing Security on Cisco Routers 54
4.1. Router Access Security .................................................................................................. 55
4.2. Router Network Service Security ................................................................................... 70
4.3. Access Control Lists, Filtering, and Rate Limiting ........................................................ 83
4.4. Routing and Routing Protocols .................................................................................... 102
4.5. Audit and Management ................................................................................................ 139
4.6. Security for Router Network Access Services ............................................................. 175
4.7. Collected References. ................................................................................................... 202
5. Advanced Security Services 204
5.1. Role of the Router in Inter-Network Security .............................................................. 204
5.2. IP Network Security ..................................................................................................... 205
5.3. Using SSH for Remote Administration Security.......................................................... 227
5.4. Using a Cisco Router as a Firewall .............................................................................. 232
5.5. Cisco IOS Intrusion Detection ..................................................................................... 241
5.6. References .................................................................................................................... 247
6. Testing and Security Validation 250
Version 1.1c 3
, Router Security Configuration Guide
6.1. Principles for Router Security Testing .........................................................................250
6.2. Testing Tools................................................................................................................250
6.3. Testing and Security Analysis Techniques...................................................................251
6.4. Using the Router Audit Tool ........................................................................................258
6.5. References ....................................................................................................................261
7. Additional Issues in Router Security 263
7.1. Routing and Switching .................................................................................................263
7.2. IPv6 ..............................................................................................................................265
7.3. ATM and IP Routing ....................................................................................................266
7.4. Multi-Protocol Label Switching (MPLS) .....................................................................267
7.5. IPSec and Dynamic Virtual Private Networks .............................................................268
7.6. Tunneling Protocols and Virtual Network Applications ..............................................269
7.7. IP Quality of Service (QoS) and RSVP ........................................................................270
7.8. Secure DNS ..................................................................................................................271
7.9. References ....................................................................................................................272
8. Appendices 274
8.1. Top Ways to Quickly Improve the Security of a Cisco Router ....................................274
8.2. Application to Ethernet Switches and Related Non-Router Network Hardware ..........280
8.3. Overview of Cisco IOS Versions and Releases ............................................................283
8.4. Glossary of Router Security-related Terms ..................................................................289
9. Additional Resources 295
9.1. Bibliography.................................................................................................................295
9.2. Web Site References ....................................................................................................298
9.3. Tool References ...........................................................................................................300
Index 302
4 Version 1.1c
