As a network administrator, auditor or architect, you know the importance of securing your network and finding security solutions you can implement quickly. This succinct book departs from other security literature by focusing exclusively on ways to secure Cisco routers, rather than the entire network. The rational is simple: If the router protecting a network is exposed to hackers, then so is the network behind it. Hardening Cisco Routers is a reference for protecting the protectors. Included are the following topics:
The importance of router security and where routers fit into an overall security plan
Different router configurations for various versions of Cisco?s IOS
Standard ways to access a Cisco router and the security implications of each
Password and privilege levels in Cisco routers
Authentication, Authorization, and Accounting (AAA) control
Router warning banner use (as recommended by the FBI)
Unnecessary protocols and services commonly run on Cisco routers
Protocol security for RIP, OSPF, EIGRP, NTP, and BGP
Written by Thomas Akin, an experienced Certified Information Systems Security Professional (CISSP) and Certified Cisco Academic Instructor (CCAI), the book is well organized, emphasizing practicality and a hands-on approach. At the end of each chapter, Akin includes a Checklist that summarizes the hardening techniques discussed in the chapter. The Checklists help you double-check the configurations you have been instructed to make, and serve as quick references for future security procedures.
Concise and to the point, Hardening Cisco Routers supplies you with all the tools necessary to turn a potential vulnerability into a strength. In an area that is otherwise poorly documented, this is the one book that will help you make your Cisco routers rock solid.
Chapter 1 Router Security
Routers: The Foundation of the Internet
What Can Go Wrong
What Routers Are at Risk?
Chapter 2 IOS Version Security
The Need for a Current IOS
Determining the IOS Version
IOS Versions and Vulnerabilities
IOS Security Checklist
Chapter 3 Basic Access Control
Authentication Versus Authorization
Points of Access
Basic Access Control
Protection with IPSec
Basic Access Control Security Checklist
Chapter 4 Passwords and Privilege Levels
Keeping Configuration Files Secure
Chapter 5 AAA Access Control
Token-Based Access Control
AAA Security Checklist
Chapter 6 Warning Banners
Adding Login Banners
Warning Banner Checklist
Chapter 7 Unnecessary Protocols and Services
Unnecessary Protocols and Services Checklist
Chapter 8 SNMP Security
Securing SNMP v1 and v2c
Securing SNMP v3
SNMP Management Servers
SNMP Security Checklist
Chapter 9 Secure Routing and Antispoofing
Routing Protocol Security
Routing Protocol and Antispoofing Checklist
Chapter 10 NTP
Chapter 11 Logging
Logging in General
ACL Violation Logging
Appendix A Checklist Quick Reference
Hardening Your Routers
Auditing Your Routers
Cisco Router Security Checklist
Appendix B Physical Security
Protection Against People
Protection Against Murphy and Mother Nature
Physical Security Checklist
Appendix C Incident Response
Keys to Investigating
Attack Versus Accident
Discover What Happened and the Scope of the Incident
Thomas Akin is a Certified Information Systems Security Professional (CISSP) with a decade of experience in information security. He is the founding director of the Southeast Cybercrime Institute at Kennesaw State University, where he also serves as chairman of the Institute's Board of Advisors. He is an active member of the Attorney General's Georgia Cybercrime Task Force and heads its education committee. Heavily involved in Atlanta's InfoSec community, Thomas spends much of his time teaching, writing, and trying to keep his security, network, and Unix certifications up to date. Finally, he is the owner of and principal consultant for CrossRealm Consulting. More information about Thomas can be found at http://www.crossrealm.com.
Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The animal on the cover of Hardening Cisco Routers is a North African wild ass. This mammal, an ancestor of the domestic donkey, once lived in the Moroccan Atlas Mountain range and possibly through out North Africa. The small population of wild asses is now confined to Sudan, Somalia, and Ethiopia.
Adapted to arid grasslands, the North African wild ass eats thorny, dry plants and grass. It retreats to rocky areas for shade during the hot, sunny hours of the day and is active in the early morning, at dusk, and at night. The wild ass needs water every two to three days and lives alone or temporarily in small groups of offspring to conserver food and water. Males generally live alone, especially when defending territory that contains sources of water.
The North African wild ass is in grave danger of extinction. Domestication, breeding with domestic animals, hunting, and competition with other animals (including humans) for water has diminished the population to a few hundred. Well-meaning tourist who chase the animals for photographs often exhaust the wild asses to the point of death. The animal is now one of the rarest mammals in the world, despite conservation efforts. Ann Schirmer was the production editor and proofreader, and Norma Emory was the copyeditor, for Hardening Cisco Routers. Claire Cloutier, Tatiana Apandi Diaz, and Rachel Wheeler provided quality control. Johnna VanHoose Dinse wrote the index.
Emma Colby designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Emma Colby produced the cover layout with QuarkXPress 4.1 using Adobe's ITC Garamond font.
Melanie Wang designed the interior layout, based on a series design by David Futato. Mihaela Maier converted the files from Microsoft Word to FrameMaker 5.5.6 using tools created by Mike Sierra. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano and Jessamyn Read using Macromedia FreeHand 9 and Adobe Photoshop 6. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Ann Schirmer.
Love this book as a good reference for any new router I roll out to tighten down. Quick, easy to read and understand and good examples. I did wish for some more Access-list examples but overall a great book.
I buy this book to harden my cisco, I expected that in it were covered aspects such access list examples, how to deny ping from an external resource but not internal, acl sorting, how to protect against ddos, virus, how to secure a lan and so on.
the author focuses on some points: lines, tacacs, aaa, ntp and one or more acls for those.
who cares, these material can be searched all over te internet, I've learned much more on newsgroup that with this book, and it costs me pretty much since i'm not a us/canadian citizen.
I found the book short and succinct while giving me "best practice" information. As an IT Auditor it gave me a high level appreciation and understanding for the risks and vulnerabilites of poorly configured routers without overwhelming me with too much detailed technical information.
I now have enough high level information to allow me to talk with network administrators. It clearly and easily gives me a benchmark to measure against while demonstrating the basic fundamental steps which can to be taken to harden the routers to mitigate the highest risks.
This short (~160 pages) but informative book covers a wide range of security "precautions" for Cisco routers. It provides a foundation on how to limit or mitigate the risk of your Cisco router being attacked or compromised. These ideas and recommendations are a great help to anyone, even if you are an experienced Cisco router engineer or just starting out; all though the book assumes that you have hands on knowledge and experience configuring Cisco routers. As I read chapter after chapter, I found that a few very difficult to understand topics were presented fairly clearly but still difficult for a new beginner, and thus the more experience you have the more you will take out of this book.
Some of the best parts of the book have delved into topic that technical experts will sometimes forget. It explains what risk is and why routers for most are critical links today with "e-business" being mission critical. It should make you think about what the cost are to you being attacked both by reputation and real losses like lost sales, i.e. no email or web server available. This book touches all aspects of security, like physical issues, and better yet recovery after an incident. (But don't wait till then before you read the book or that chapter.)
The best part of the book is how it devotes just the right amount of time to each topic and indicates that if you have not understood a technology, where to go and, better yet, the author conveys that you need to get the jist of things and any work to help harden your router is worth the effort. I like the router configuration examples as well as summaries in each chapter and an over-all router configuration with all recommendations implemented.
This is a must read for anyone in charge of a router connected to the Internet, in essence it provides "rules-of-thumb" that make it harder for the attacker to do damage.