Securing Network Devices

Securing outgoing network traffic and inspecting incoming traffic are critical elements of network defense. The edge router, which connects the internal network to the outside world, must be hardened as the first step in securing the infrastructure.

Device hardening is a fundamental task that cannot be ignored. This includes physically protecting the router and securing administrative access through the Cisco IOS command-line interface (CLI). Current best practices involve using strong and encrypted passwords, disabling unused accounts, enabling Secure Shell (SSH) instead of Telnet, and applying role-based access control (RBAC) to limit privileges based on user responsibilities.

Protecting management and monitoring features is equally important. Administrators should configure secure syslog for logging, implement Simple Network Management Protocol version 3 (SNMPv3) for encrypted and authenticated device management, and enable Network Time Protocol (NTP) with authentication to ensure accurate and trusted time synchronization across devices.

Many older router services may still be enabled by default but are unnecessary in today’s environments. Disabling unneeded services helps reduce the attack surface. Cisco IOS includes the auto secure command, which can be used to automatically apply a baseline of security settings and streamline the hardening process.

Practical labs are essential for mastering these skills. A lab on Securing the Router for Administrative Access walks learners through password best practices, configuring login banners, enabling SSH, setting up RBAC with CLI views, and using Cisco IOS Resilient Configuration to protect router images and configuration files. Syslog and SNMPv3 are then added for secure monitoring, and AutoSecure is used to quickly apply recommended security configurations.

A Packet Tracer activity, Configure Cisco Routers for Syslog, NTP, and SSH, reinforces these concepts in a simulated environment. Learners configure routers with NTP, syslog, timestamped logs, local user accounts, RSA key pairs for SSH, and exclusive SSH access. They also practice connecting securely to routers using SSH clients from both Cisco devices and end-user systems.

Securing the Edge Router

Securing outgoing and incoming traffic is a critical part of protecting modern networks. The first step is securing the edge router, which connects the internal network to the outside world. This router must be configured using strong security practices to minimize exposure to threats.

Device hardening through the Cisco IOS CLI is essential. Best practices include setting strong passwords, encrypting them, and restricting administrative access. For example:

Router(config)# enable secret STRONGpassword123
Router(config)# service password-encryption
Router(config)# banner motd #Unauthorized access is prohibited!#

Secure Shell (SSH) should replace insecure protocols such as Telnet. To enable SSH, configure domain information, generate RSA keys, and create local user accounts:

Router(config)# ip domain-name example.com
Router(config)# crypto key generate rsa modulus 2048
Router(config)# username admin privilege 15 secret AdminPass!
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# login local

Role-based CLI views can define different levels of access for administrators. Example:

Router(config)# aaa new-model
Router(config)# parser view NETADMIN
Router(config-view)# secret NetAdmin123
Router(config-view)# commands exec include all show
Router(config)# username admin view NETADMIN secret Admin123

Management plane security is equally important. Syslog should be configured with reliable timestamps, and NTP should keep device clocks synchronized:

Router(config)# service timestamps log datetime msec
Router(config)# logging 192.168.1.50
Router(config)# ntp server 192.168.1.100

SNMP should be restricted to secure versions or disabled if not required. Example for SNMPv3:

Router(config)# snmp-server group SECURE v3 priv
Router(config)# snmp-server user snmpadmin SECURE v3 auth sha AuthPass! priv aes 128 PrivPass!

Unnecessary services should be disabled. For example:

Router(config)# no cdp run
Router(config)# no ip http server

The auto secure command can also assist by automating the process of disabling insecure services and enforcing stronger defaults:

Router# auto secure

Hands-on practice should include configuring passwords, SSH, role-based CLI views, Syslog, and NTP. These tasks form the foundation for securing the network edge and ensuring accountability in network management.

               Internet (Untrusted)
                        |
                 [ Edge Router ]
                  /      |      \
     Admin Access |   Logging    |   NTP
     via SSH ---->|   (Syslog)   |<---> Time Server
                  |
           Internal LAN (Trusted)

Configuring Secure Administrative Access

Attackers use many methods to steal or guess administrative passwords, including:

• Shoulder surfing (looking over an admin’s shoulder)
• Sniffing plaintext configuration files (e.g., TFTP transfers)
• Brute force password cracking with tools like Cain & Abel

Strong password practices reduce these risks:

• Use 10+ characters (the longer, the better)
• Mix upper/lowercase, numbers, and special characters
• Avoid dictionary words, sequences, or personal info
• Consider pass phrases with spaces (e.g., Th3 B3st P@ss Ever!)
• Change passwords regularly
• Never write them down or leave in visible places

The enable secret password protects privileged EXEC mode. It is always stored as an MD5 hash, making it stronger than enable password.

Router(config)# enable secret Str0ngPass123!

By default, console access does not require a password. Secure it with:

 
Router(config)# line console 0 
Router(config-line)# password C0ns0lePass! 
Router(config-line)# login

Secure all virtual terminal lines (0–4 by default):

Router(config)# line vty 0 4  
Router(config-line)# password VTYpass! 
Router(config-line)# login

Prefer SSH over Telnet:

Router(config)# ip domain-name example.com 
Router(config)# crypto key generate rsa modulus 2048 
Router(config)# username admin secret SSHp@ssw0rd  
Router(config)# line vty 0 4  
Router(config-line)# login local  
Router(config-line)# transport input ssh

Secure the AUX line (commonly used with dial-up modems):

Router(config)# line aux 0 
Router(config-line)# password AUXp@ss123 
Router(config-line)# login

Minimum password length (IOS 12.3+):

Router(config)# security passwords min-length 10

Example error for short password:

Password too short - must be at least 10 characters.

Use exec-timeout to log users out automatically after inactivity:

Router(config)# line console 0 
Router(config-line)# exec-timeout 2 0   ← (2 minutes)

Disable EXEC completely on AUX if not needed:

Router(config)# line aux 0 
Router(config-line)# no exec

By default, most line passwords are stored in plaintext. Use:

Router(config)# service password-encryption

⚠️ Note: This is weak (Type 7). Always prefer enable secret or username secret, which use MD5 hashing.

Instead of line passwords, configure local users with MD5-protected secrets:

Router(config)# username admin secret L0calSshPass!  
Router(config)# line vty 0 4  
Router(config-line)# login local

       +-------------------+
       |  Admin Access     |
       +-------------------+
        |       |        |    
      Console  VTY      AUX
        |       |        |
        v       v        v
 [ Line Passwords or Local User Accounts ]
                |
         +---------------+
         | enable secret |
         +---------------+
                |
        Privileged EXEC Mode

Cisco IOS Login Security Enhancements

Why?
Even with passwords configured, routers can be targeted by DoS or dictionary attacks that flood login attempts and block legitimate administrators. Cisco IOS provides login enhancements to slow attacks, temporarily block repeated failures, and log activity for auditing.

Key features

• Delay between successive login attempts
• Temporary block (quiet mode) after repeated failures
• Allow trusted admin hosts during quiet mode via ACL
• Log failed (and optionally successful) login attempts

Quick CLI: Configure login protections

Router# configure terminal
Router(config)#

! Block logins when there are too many failures
! Example: block for 120 seconds after 3 failed attempts within 60 seconds

Router(config)# login block-for 120 attempts 3 within 60
Router(config)#

! Create ACL of trusted admin hosts
Router(config)# ip access-list standard ADMIN-HOSTS
Router(config-std-nacl)# permit 192.168.1.10
Router(config-std-nacl)# permit 192.168.1.11
Router(config-std-nacl)# exit

! Allow those hosts during quiet mode
Router(config)# login quiet-mode access-class ADMIN-HOSTS
Router(config)#

! Add uniform delay between login attempts (seconds)
Router(config)# login delay 2

! Enable logging for failures and successes
Router(config)# login on-failure log
Router(config)# login on-success log

! Verify status and failures
Router# show login
Router# show login failures 

Notes

• The enhanced login features affect virtual logins (Telnet/SSH/HTTP(S)); they do not apply to console lines (console assumed physical access).
• The login block-for command introduces an automatic delay between attempts and triggers quiet mode when thresholds are exceeded.
• During quiet mode all logins are blocked except for hosts permitted by the ACL configured with login quiet-mode access-class.
• Use login delay to increase the time between all successive attempts (failed or successful), which slows brute-force tools.
• Use login on-failure log and login on-success log to record events in syslog for auditing and alerting.

Banner (legal notice)

Router(config)# banner motd #
Unauthorized access is prohibited.
All activity is logged and monitored.
#

Simple diagram: Login protection flow

Admin Hosts (trusted)     Untrusted Hosts (internet)
       |                         |
       v                         v
   +-------------------------------+
   |        Router / Edge          |
   |  - login enhancements active  |
   |  - login delay / block-for    |
   |  - quiet-mode ACL whitelist   |
   +-------------------------------+
                |
        Logging -> Syslog Server

Quick troubleshooting commands

Router# show login
Router# show login failures
Router# show running-config | section login
Router# show access-lists ADMIN-HOSTS

These settings provide a compact, CLI-focused way to reduce automated password-guessing attacks while allowing trusted administrators continued access during short quiet periods.

Configure SSH

Remote administrative access requires careful consideration of security. Traditionally, Telnet (TCP port 23) was used, but it sends all traffic in plaintext. Attackers can capture credentials using tools like Wireshark. SSH replaces Telnet, providing encrypted connections on port 22 and ensuring confidentiality and session integrity.

1. Routers must run Cisco IOS 12.1(1)T or later with a cryptographic image (IPsec DES or 3DES, usually k8 or k9 images).
2. Each router must have a unique host name.
3. Each router must use the correct network domain name.
4. Routers must use local authentication or AAA services for username/password login.

1. Set the domain name:

   Router(config)# ip domain-name example.com

2. Generate RSA keys (minimum 1024-bit recommended):

   Router(config)# crypto key generate rsa general-keys modulus 1024
   Router# show crypto key mypubkey rsa
   Router(config)# crypto key zeroize rsa

3. Ensure a local user exists:

   Router(config)# username admin secret YourSecretPassword

4. Enable SSH on vty lines:

   Router(config)# line vty 0 4
   Router(config-line)# login local
   Router(config-line)# transport input ssh

• SSH version: ip ssh version 1 | 2
• Timeout: ip ssh time-out 120
• Authentication retries: ip ssh authentication-retries 3

Verify SSH settings with: show ip ssh and check active sessions with show ssh.

• From another Cisco router: ssh -l username ip-address
• From an SSH client (PuTTY, OpenSSH, TeraTerm) running on a host.

Cisco routers can act as both SSH server and client. Once connected, the router can be managed as if using Telnet, but securely.

SDM can configure SSH and VTY lines:

• Check RSA key status under: Configure > Additional Tasks > Router Access > SSH
• Generate RSA keys if not set and configure modulus size (512–2048 bits).
• Configure VTY lines via: Configure > Additional Tasks > Router Access > VTY

Configuring Privilege Levels

System administrators need secure and controlled access to network devices. Not all employees, even within IT, should have the same access level. Different job functions, such as CIO, Network Administrator, WAN Engineer, Help Desk, etc., require varying access privileges.

Privilege levels in Cisco IOS determine who can connect to a device and which commands they can execute. There are two main levels:

• User EXEC mode (level 1) – Basic user commands at the Router> prompt.
• Privileged EXEC mode (level 15) – Full access to all commands at the Router# prompt.

For more granular control, Cisco IOS allows custom privilege levels (2–14) and role-based CLI access.

Custom privilege levels allow administrators to tailor access:

• Level 1 – Default user access.
• Level 2–14 – Custom levels for monitoring or limited configuration.
• Level 15 – Full access.

Commands at lower levels are inherited by higher levels. For example, level 10 users can execute commands from levels 1–10, but not level 11 or higher.

Assign a command to a specific privilege level:

Router(config)# privilege mode {level command | reset} command

Example: assigning show ip route also assigns show and show ip automatically.

• For a level: enable secret level <level> <password>
• For a user with a specific level: username <name> privilege <level> secret <password>

• USER – Level 1, default access.
• SUPPORT – Level 5

Configuring Role-Based CLI Access

Role-Based CLI provides finer control than privilege levels by restricting exactly which commands are available to specific roles. Introduced in Cisco IOS Release 12.3(11)T, it allows administrators to create customized views of router configurations for different users.

• Security: Limit command access per user and control access to ports, interfaces, and slots, preventing accidental or unauthorized changes.
• Availability: Reduces risk of downtime by preventing unintentional execution of commands by unauthorized personnel.
• Operational Efficiency: Users see only relevant commands, making the CLI simpler and easier to navigate.

• Root View: Full access (like level 15), required to create and modify views.
• CLI View: Contains a specific set of commands. Views do not inherit commands from other views.
• Superview: A collection of CLI views. Users assigned to a superview can access commands from all included CLI views. Each superview has a password for switching between views.

AAA must be enabled:

Router(config)# aaa new-model

Step 1: Enter root view

enable view
enable view root

Step 2: Create a view (max 15 views excluding root)

parser view <view-name>

Step 3: Assign a secret password

secret <encrypted-password>

Step 4: Assign commands to the view

commands exec include show ip interface brief

Step 5: Exit view configuration mode

exit

Step 1: Create a superview

parser view <view-name> superview

Step 2: Assign a secret password

secret <encrypted-password>

Step 3: Add existing views

view <view-name>

Step 4: Exit superview configuration mode

exit

Multiple views can be added to a superview, and views can be shared across superviews.

To log in to an existing view:

enable view <viewname>

Provide the password assigned to that view. Use ? to see available commands.

From the root view, display all views:

show parser view all

Cisco IOS Resilient Configuration

If attackers gain access to a router, they could:

• Alter traffic flows
• Change configurations
• Erase the startup configuration file and Cisco IOS image

Recovery after such events can be time-consuming. The Cisco IOS Resilient Configuration feature allows faster recovery by securing the IOS image and maintaining a secure working copy of the running configuration. The secured image and configuration are collectively called the bootset.

Note:

• Available only on systems supporting PCMCIA ATA flash interface.
• Files are hidden from directory listings.

Secures the Cisco IOS image in flash. Only a console session can disable it using no secure boot-image.

Router(config)# secure boot-image
Router# no secure boot-image

Detects version mismatches and logs messages. Use the command again to update the archived image.

Creates a secure snapshot of the running configuration in persistent storage:

Router(config)# secure boot-config

Upgrades configuration archives when configuration changes, and the archive is hidden from dir output. Verify with:

Router# show secure bootset

1. Reload the router: reload
2. From ROMmon, list device contents: dir
3. Boot with secure bootset image: boot <filename>
4. Enter global configuration mode: conf t
5. Restore configuration: secure boot-config restore <filename>

Physical access is required for recovery. Steps:

1. Connect to the console port.
2. Record configuration register: show version
3. Power cycle the router.
4. Within 60 seconds, issue break sequence to enter ROMmon.
5. Change config register to bypass startup config: confreg 0x2142
6. Reset router: reset
7. Skip initial setup (no or Ctrl-C).
8. Enable privileged mode: enable
9. Copy startup config into memory: copy startup-config running-config
10. View passwords: show running-config
11. Set new enable secret: enable secret <password>
12. No shutdown interfaces and verify: show ip interface brief
13. Restore configuration register: config-register 0x2102
14. Save configuration: copy running-config startup-config

Mitigate unauthorized physical access using:

Router(config)# no service password-recovery

This disables ROMmon access. Booting with this command shows: "PASSWORD RECOVERY FUNCTIONALITY IS DISABLED".

If ROMmon break is attempted within 5 seconds, startup configuration is erased and router boots with factory defaults. Ensure a valid IOS image exists; otherwise, recovery requires a new flash image.

Secure Management and Reporting

Secure Network Management

Network administrators must securely manage all devices in a network. In small networks, this is straightforward, but in large enterprises with hundreds of devices, monitoring and managing configurations and logs can be challenging.

Configuration Change Management

Secure management involves tracking configuration changes. It is important to know the state of critical devices and when modifications were last made. Change management policies should define who has access, how unused tools are handled, and how configurations are archived. At a minimum, record changes with authentication systems and save configuration files using FTP or TFTP.

Logging and Reporting

Automated logging and reporting are essential. Logs can include configuration changes, traffic flows, and software installations. Priorities for logging should be set based on input from management, security teams, and the security policy. Most networking devices can send syslog data, which can be analyzed in real time, on demand, or in scheduled reports. Logging levels can be adjusted to ensure only relevant data is collected, and critical devices like IPS may require more attention than Layer 2 switches during incidents.

Protocols for Remote Management

Protocols such as SNMP allow remote monitoring and configuration changes. Management traffic can flow in two ways:

Out-of-band (OOB) – A dedicated management network separate from production traffic.

In-band – Uses the production network, the Internet, or both.

Example Architecture

A network may use an OOB management segment with terminal servers to connect to devices, while the production network handles selective in-band traffic securely via VPNs or encrypted tunnels. Access should be restricted, and only authorized hosts should initiate or terminate management tunnels. Firewalls can permit syslog, SSH, and SNMP traffic from the management network, reducing exposure.

Security Considerations

Because management networks provide broad access, they are attractive targets. Strong access control and network segmentation, such as VLANs or separate LANs, help mitigate risks.

OOB vs. In-band Management

OOB management is generally preferred in large enterprises, though certain scenarios, such as monitoring device reachability, may require secure in-band management. In smaller networks, in-band management can be cost-effective if secure protocols like SSH or IPsec tunnels are used. Temporary firewall openings may be acceptable for short-term management, but they must be closed immediately afterward.

Tool Security

Administrators should also be aware of vulnerabilities in remote management tools like SNMP, which require careful handling.

Management Host ----> OOB Network ----> Network Devices
            

Management Host ----> Production Network ----> Network Devices
            

Implementing Cisco Router Logging

Cisco routers can log information regarding configuration changes, ACL violations, interface status, and many other events. Log messages can be sent to different destinations:

• Console - Console logging is on by default. Messages appear on the console session.
• Terminal lines - Enabled EXEC sessions can receive log messages on terminal lines. Not stored by router.
• Buffered logging - Messages stored in router memory temporarily. Cleared on reboot.
• SNMP traps - Forward events exceeding thresholds to an SNMP server.
• Syslog - Forward messages to external syslog servers or appliances like Cisco Security MARS for centralized storage and analysis.

Router log messages contain three main parts:

• Timestamp
• Log message name and severity level
• Message text

Syslog Clients and Servers

• Syslog servers - Accept and process messages from clients.
• Syslog clients - Routers or devices that generate and forward messages.

Cisco Router Logging Levels (0–7)

• 0 - Emergencies: System is unusable
• 1 - Alerts: Immediate action required
• 2 - Critical: Critical conditions
• 3 - Errors: Error conditions
• 4 - Warnings: Warning conditions
• 5 - Notifications: Normal but significant conditions
• 6 - Informational: Informational messages
• 7 - Debugging: Debug-level messages

Configuring Logging via CLI

Configuring Logging via Cisco SDM

1. Choose Configure > Additional Tasks > Router Properties > Logging
2. Click Edit in the Logging pane.
3. Select Enable Logging Level and choose the severity level.
4. Click Add and enter the IP address of a logging host.
5. Click OK to return to the Logging dialog.
6. Click OK to accept changes and return to the Logging pane.

Monitoring Logging via SDM

• See the logging hosts configured on the router.
• Choose the minimum severity level to view.
• Monitor current router syslog messages, update the screen, or erase messages from the router buffer.

Using SNMP for Network Security

SNMP (Simple Network Management Protocol) is used to manage nodes on an IP network, including servers, workstations, routers, switches, hubs, and security appliances. It is an Application Layer protocol in the TCP/IP suite that allows network administrators to monitor performance, troubleshoot problems, and plan for network growth. There are different versions of SNMP.

SNMPv1 and SNMPv2

These versions use managers (network management systems), agents (managed nodes), and Management Information Bases (MIBs). At least one manager runs SNMP management software. Network devices have SNMP agent software that provides access to a local MIB containing information about device operation. The SNMP manager can:

• Get information from the agent
• Set or change configuration variables
• Receive SNMP traps for significant events

Sets allow actions like rebooting a router or transferring configuration files. Traps allow agents to notify the manager of events. However, gets and sets create vulnerabilities.

Community Strings

SNMP agents accept requests only if the manager provides the correct community string, which acts as a password.

• Read-only (ro) - Access information but cannot modify.
• Read-write (rw) - Can access and modify information.

Default community strings like "public" are insecure because they are sent in plaintext. Use custom strings and, when possible, restrict SNMP to read-only in in-band management. In OOB management, read-write can be used but with awareness of plaintext vulnerability.

SNMPv3

SNMPv3 provides enhanced security by offering:

• Message integrity - Ensures packets are not tampered with.
• Authentication - Confirms the source of a message.
• Encryption - Scrambles packet contents to prevent unauthorized viewing.

SNMPv3 is standards-based and interoperable. While recommended for security, configuring SNMPv3 is beyond this course.

SNMP Security Models and Levels

Cisco IOS supports three security models: SNMPv1, SNMPv2c, SNMPv3. Security levels determine the type of authentication and encryption:

• noAuth - Authenticates using username or community string match only.
• auth - Uses HMAC with MD5 or SHA for authentication.
• priv - Uses HMAC MD5 or SHA for authentication and DES, 3DES, or AES for encryption.

Only SNMPv3 supports auth and priv levels. The combination of model and level determines security mechanisms for SNMP packets.

Configuring SNMPv1/v2 via Cisco SDM

1. Choose Configure > Additional Tasks > Router Properties > SNMP and click Edit.
2. Select Enable SNMP and set community strings.
3. Click Add to create new community strings, Edit to modify existing, or Delete to remove.

Example CLI for read-only community string "cisco123": snmp-server community cisco123 ro

• ro - Read-only access
• rw - Read-write access

Configuring Trap Receivers via SDM

1. From SNMP pane, click Edit.
2. Click Add in Trap Receiver section to add a new trap receiver.
3. Enter the IP address or hostname and password for the trap receiver.
4. Click OK to finish adding.
5. To edit, select a receiver and click Edit. To delete, click Delete.
6. When complete, click OK to return to SNMP pane.

The SNMP Properties window also has fields for Server Device Location and Administrator Contact to store descriptive information. These fields are optional.

Using Network Time Protocol

Accurate date and time on network devices are critical for security. During attacks, seconds matter to identify the sequence of events. To synchronize logs and ensure consistency, clocks on hosts and network devices must be accurate.

Methods to Set Date and Time

• Manually editing the date and time
• Configuring the Network Time Protocol (NTP)

Manual configuration may work in small networks, but it becomes impractical as networks grow. If a router reboots, it may not have an accurate timestamp. NTP provides a better solution.

Using NTP

NTP allows routers to synchronize their time with an NTP server. A group of NTP clients that reference a single source maintain consistent time settings. NTP can synchronize to a private master clock or a publicly available NTP server.

NTP uses UDP port 123 and is defined in RFC 1305.

Private vs. Public NTP Servers

Using a private master clock may involve synchronization via satellite or radio. The source must be secure; otherwise, attackers could disrupt clocks to affect digital certificates or confuse administrators during attacks. Public NTP servers require trusting the server's accuracy and security.

NTP Communication

Machines running NTP are usually configured with static associations. Each device knows the IP addresses of its NTP masters. One or more routers can act as an NTP master using:

ntp master

Clients synchronize by contacting the master:

ntp server <ntp-server-address>

For LAN environments, IP broadcast can be used:

ntp broadcast client

This simplifies configuration but slightly reduces accuracy since synchronization is one-way.

NTP Security Mechanisms

Time is critical, so NTP security should prevent accidental or malicious misconfiguration. Available mechanisms include:

• ACL-based restriction scheme
• Encrypted authentication mechanism (NTPv3 or later)

NTPv3+ supports cryptographic authentication between peers, which, along with ACLs, mitigates attacks.

Securing NTP

Use NTPv3 or later and configure both master and clients:

ntp authenticate
ntp authentication-key <key-number> md5 <key-value>
ntp trusted-key <key-number>

Authentication ensures clients receive time from an authenticated server. Clients without authentication still get time but cannot verify the source.

Verify with:

show ntp associations detail

The key value can also be included in the ntp server <ntp-server-address> command.

Configuring NTP via Cisco SDM

1. Choose Configure > Additional Tasks > Router Properties > NTP/SNTP. The NTP pane shows all configured servers.
2. Click Add to add a new NTP server.
3. Enter the server by name (DNS) or IP address. Public NTP servers are available at NTP Server List.
4. (Optional) Choose NTP Source Interface to select the interface used to communicate with the server. If left blank, the router uses the interface closest to the server.
5. Select Prefer if the server is preferred. Preferred servers are contacted before nonpreferred servers.
6. If authentication is used, select Authentication Key and enter the key number and key value.
7. Click OK to finish adding the server.

Performing a Security Audit

Cisco routers are initially deployed with many services enabled by default for convenience. However, some of these services can make the device vulnerable if security is not enforced. Administrators can also enable services that may expose the device to risk. Both scenarios must be considered when securing the network.

For example, Cisco Discovery Protocol (CDP) is enabled by default. CDP helps discover protocol addresses and platforms of neighboring Cisco devices. Attackers, however, can use CDP to discover devices on the local network. Software like Cisco CDP Monitor can be used by attackers to gather this information. CDP is useful for troubleshooting, but it should be disabled on edge devices or where unnecessary.

Disabling Vulnerable Services

Attackers often target services and protocols that increase network vulnerability. Depending on security needs, many services should be disabled or restricted. This includes both Cisco proprietary protocols like CDP and global protocols like ICMP.

Default settings in Cisco IOS may have historical reasons but can create security exposures, especially for perimeter devices. To secure a device:

• Disable unnecessary services and interfaces
• Disable and restrict commonly configured management services, such as SNMP
• Disable probes and scans, such as ICMP
• Ensure terminal access security
• Disable gratuitous and proxy ARP
• Disable IP-directed broadcasts

Security Audits

Administrators must first determine vulnerabilities in the current configuration. Security audit tools compare configurations to recommended settings and track discrepancies. After identifying vulnerabilities, configurations must be modified to reduce or eliminate risks.

Three common security audit tools include:

• Security Audit Wizard - Provided through Cisco SDM, it lists vulnerabilities and allows the administrator to choose which security-related changes to implement.
• Cisco AutoSecure - Available via Cisco IOS CLI using the autosecure command. Changes can be automatic or require administrator input.
• One-Step Lockdown - Provided through Cisco SDM, it lists vulnerabilities and automatically applies all recommended security-related configuration changes.

Both Security Audit Wizard and One-Step Lockdown are based on Cisco IOS AutoSecure.

Security Audit Wizard Details

The Security Audit Wizard tests the router configuration for potential security problems and presents a screen for the administrator to decide which issues to fix. It then applies the necessary changes.

The wizard compares the router configuration against recommended settings and can:

• Shut down unneeded servers
• Disable unneeded services
• Apply the firewall to outside interfaces
• Disable or harden SNMP
• Shut down unused interfaces
• Check password strength
• Enforce the use of ACLs

When initiating a security audit, the wizard must know which interfaces are inside vs. outside. It tests the configuration and displays all options tested, showing whether the configuration passes each test. The wizard identifies vulnerabilities and offers automatic fixes, showing descriptions and corresponding Cisco IOS commands.

Before applying changes, a summary page lists all configuration changes. The administrator clicks Finish to send the changes to the router.

Cisco AutoSecure

Released in IOS version 12.3, Cisco AutoSecure is a CLI-initiated feature that executes a script. AutoSecure first makes recommendations for fixing security vulnerabilities and then modifies the router's security configuration.

AutoSecure can lock down both the management plane and forwarding plane of a router.

Management Plane

The management plane is the logical path for all traffic related to router management. It controls other routing functions and manages the device through its network connection. Management plane services and functions include:

• Secure BOOTP, CDP, FTP, TFTP, PAD, UDP, TCP small servers, MOP, ICMP (redirects, mask-replies), IP source routing, Finger, password encryption, TCP keepalives, gratuitous ARP, proxy ARP, and directed broadcast
• Legal notification using a banner
• Secure password and login functions
• Secure NTP
• Secure SSH access
• TCP intercept services

Forwarding Plane

The forwarding plane handles packet forwarding (switching), receiving packets on router interfaces and sending them out other interfaces. Forwarding plane services include:

• Enables Cisco Express Forwarding (CEF)
• Enables traffic filtering with ACLs
• Implements Cisco IOS firewall inspection for common protocols

AutoSecure is often used to provide a baseline security policy on new routers. Features can then be modified to align with an organization’s security policy.

Use the following commands to enable AutoSecure:

• auto secure – Interactive setup (default mode)
• auto secure [no-interact] – Non-interactive setup with recommended Cisco default settings
• auto secure full – Interactive setup including all components

In interactive mode, the router prompts the administrator to enable or disable services and other security features. Non-interactive mode automatically applies Cisco-recommended default settings, similar to the SDM Security Audit one-step lockdown.

The auto secure command can also include keywords to configure specific components, such as the management plane or forwarding plane.

When executed, a wizard guides the administrator through device configuration. User input is required in interactive mode, and after completion, the running configuration displays all settings and changes applied.

Cisco One-Step Lockdown

One-Step Lockdown tests a router configuration for potential security problems and automatically makes the necessary changes to correct any issues.

One-Step Lockdown Disables:

• Finger service
• PAD service
• TCP small servers service
• UDP small servers service
• IP BOOTP server service
• IP identification service
• Cisco Discovery Protocol (CDP)
• IP source route
• IP GARPs
• SNMP
• IP redirects
• IP proxy ARP
• IP directed broadcast
• MOP service
• IP unreachables
• IP mask reply
• IP unreachables on null interface

One-Step Lockdown Enables:

• Password encryption service
• TCP keepalives for inbound and outbound Telnet sessions
• Sequence numbers and timestamps on debugs
• IP Cisco Express Forwarding (CEF) and NetFlow switching
• Unicast Reverse Path Forwarding (RPF) on outside interfaces
• Firewall on all outside interfaces
• SSH for access to the router
• AAA

One-Step Lockdown Sets:

• Minimum password length to six characters
• Authentication failure rate to less than three retries
• TCP synwait time
• Notification banner
• Logging parameters
• Enable secret password
• Scheduler interval
• Scheduler allocate
• Users
• Telnet settings
• Access class on HTTP server service
• Access class on vty lines

Deciding which automated lockdown feature to use, AutoSecure or SDM Security Audit one-step lockdown, is mostly a matter of preference. There are differences in how they implement security practices.

Cisco SDM does not implement all the features of Cisco AutoSecure. Since Cisco SDM version 2.4, the following AutoSecure features are not part of SDM one-step lockdown:

• Disabling NTP – AutoSecure disables NTP if not necessary or configures it with MD5 authentication. SDM does not support disabling NTP.
• Configuring AAA – AutoSecure configures local AAA and prompts for username/password setup if AAA is not configured. SDM does not support AAA configuration.
• Setting Selective Packet Discard (SPD) values – SDM does not set SPD values.
• Enabling TCP intercepts – SDM does not enable TCP intercepts.
• Configuring antispoofing ACLs on outside interfaces – AutoSecure creates three named ACLs for antispoofing; SDM does not.

The following AutoSecure features are implemented differently in SDM:

• Enable SSH for access to the router – SDM enables and configures SSH on IOS images with the IPsec feature set, but unlike AutoSecure, SDM does not enable SCP or disable other access/file transfer services like FTP.
• Disable SNMP – SDM disables SNMP, but unlike AutoSecure, SDM does not provide an option for configuring SNMPv3. SNMPv3 is not available on all routers.

Regardless of the preferred automated feature, it should be used as a baseline and then modified to meet the organization’s needs.

Chapter Summary

Router Logging and Syslog

Implementing a router logging facility is an important part of any network security policy. Cisco routers can log information regarding configuration changes, ACL violations, interface status, and other types of events. Routers can send log messages to several facilities:

• Console - Default logging to the console port.
• Terminal lines - Enabled EXEC sessions can view messages on terminal lines.
• Buffered logging - Logs stored in router memory, cleared on reboot.
• SNMP traps - Threshold events forwarded to SNMP servers.
• Syslog - Forward messages to external syslog servers for long-term storage and centralized monitoring.

Cisco router log messages fall into eight severity levels, with lower numbers indicating higher severity:

• 0 - Emergencies
• 1 - Alerts
• 2 - Critical
• 3 - Errors
• 4 - Warnings
• 5 - Notifications
• 6 - Informational
• 7 - Debugging

Log messages contain:

• Timestamp
• Log message name and severity
• Message text

Syslog Architecture

• Syslog servers - Accept and process log messages.
• Syslog clients - Devices that generate and forward logs.

Centralized logging helps security monitoring but can create information overload. Cisco Security MARS appliance can analyze logs, correlate events, and alert administrators.

Configuring System Logging

Steps for CLI configuration:

• Set logging host: logging host
• Set severity level: logging trap level
• Set source interface: logging source-interface
• Enable logging: logging on

SDM steps: Configure > Additional Tasks > Router Properties > Logging, then set levels, add hosts, and apply changes.

SNMP Monitoring

SNMP manages nodes on a network. Versions SNMPv1 and SNMPv2 use managers, agents, and MIBs. SNMPv3 adds authentication, privacy, and access control.

• Read-only community strings - Can retrieve data but not change configuration.
• Read-write community strings - Can retrieve and modify configuration.

Security levels for SNMPv3:

• noAuth - Basic authentication via string match.
• auth - Authenticated using HMAC MD5 or SHA.
• priv - Authenticated and encrypted using DES, 3DES, or AES.

Configuration steps using SDM: Enable SNMP, add community strings, configure trap receivers, and optionally set location/contact info.

Network Time Protocol (NTP)

Accurate timestamps are critical. Options:

• Manual date/time configuration
• Network Time Protocol (NTP)

Configure NTP on routers using:

• Master clock: ntp master
• Client: ntp server <address>
• Optional broadcast: ntp broadcast client

Secure NTP using authentication keys:

• ntp authenticate
• ntp authentication-key <key-number> md5 <key-value>
• ntp trusted-key <key-number>

SDM allows adding and editing NTP servers with optional authentication and preferred status.

Default Services and Vulnerabilities

Many services are enabled by default (e.g., CDP). These can expose the router to attacks. Administrators should:

• Disable unnecessary services and interfaces
• Restrict SNMP and management services
• Disable probes/scans (ICMP)
• Secure terminal access
• Disable gratuitous/proxy ARP
• Disable IP-directed broadcasts

Security audit tools help identify and remediate vulnerabilities.

Security Audit Tools

• Security Audit Wizard (SDM) - Tests configuration, allows selective fixes, shuts down unneeded servers, applies firewall, disables SNMP, enforces ACLs.
• Cisco AutoSecure - CLI tool for management and forwarding plane lockdown; interactive or non-interactive modes.
• One-Step Lockdown (SDM) - Automatically fixes potential security issues; disables unsafe services, enables protections, sets secure policies.

Cisco AutoSecure

Manages management plane and forwarding plane services. CLI commands:

• auto secure - Interactive mode
• auto secure full - Interactive with all prompts
• auto secure no-interact - Non-interactive, default recommended settings

Cisco One-Step Lockdown

Automatically configures security measures:

• Disables unsafe services: Finger, PAD, TCP/UDP small servers, BOOTP, CDP, source routing, SNMP, IP redirects, proxy ARP, directed broadcasts, etc.
• Enables protections: Password encryption, TCP keepalives, sequence numbers, timestamps, CEF, ACLs, firewall, SSH, AAA.
• Sets policies: Minimum password length, authentication failure retries, logging, banners, scheduler, users, Telnet access, HTTP and VTY access classes.

Differences between AutoSecure and SDM one-step lockdown include NTP configuration, AAA setup, selective packet discard, TCP intercepts, and antispoofing ACLs.

Summary of Cisco Router Security Practices

• Enable and configure logging with severity levels; use syslog for centralized monitoring.
• Use SNMP securely: read-only strings in-band, SNMPv3 preferred.
• Synchronize router clocks using NTPv3 with authentication; avoid manual timekeeping in large networks.
• Disable unnecessary services and protocols; secure management and terminal access.
• Use automated tools: Security Audit Wizard, AutoSecure, One-Step Lockdown for baseline security.
• Management plane: secure SSH, NTP, SNMP, banners, AAA, and TCP/UDP services.
• Forwarding plane: configure ACLs, firewall, CEF, and NetFlow for packet security.
• Review and adjust automated lockdown configurations to meet organizational requirements.