Using AutoSecure

Using AutoSecure

Problem

You want to secure your router without having to read the whole book.

Solution

To automatically secure the router, use the following command:

Router2#auto secure
--- AutoSecure Configuration ---

*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Is this router connected to internet? [no]:

Discussion

Beginning with IOS Version 12.3(1), Cisco introduced the autosecure feature to quickly harden router configuration files in an automated fashion. Essentially, autosecure disables common router features that might pose a security while enabling other IOS features that will assist to harden the router. Once you enter the autosecure command, the router will lead you through a series of questions so it can best determine how to secure the router for your environment.

The autosecure feature is excellent for users that have limited knowledge of all the Cisco security features or for environments that don't have a well-defined security policy. Be sure to review carefully which services are enabled or disabled to fully understand the consequences. Once you've executed the autosecure script, you can view what changes were made to the configuration by issuing the show auto secure config command:

Router2#show auto secure config 
no service finger
no service pad
no service udp-small-servers
no service tcp-small-servers
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no cdp run
no ip bootp server
no ip http server
no ip finger
no ip source-route
no ip gratuitous-arps
no snmp-server community public
no snmp-server community private
banner ^C Test ^C
security passwords min-length 6
security authentication failure rate 10 log
enable password 7 00071A1507545B54
aaa new-model
aaa authentication login local_auth local
line con 0
login authentication local_auth
exec-timeout 5 0
transport output telnet
line aux 0
login authentication local_auth
exec-timeout 10 0
transport output telnet
line vty 0 6
login authentication local_auth
transport input telnet
login block-for 5 attempts 5 within 6

crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 6
transport input ssh telnet
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
logging facility local2
logging trap debugging
service sequence-numbers
logging console critical
logging buffered
interface FastEthernet0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
!
interface Serial0/0
no ip redirects
no ip proxy-arp
no ip unreachables
no ip directed-broadcast
no ip mask-reply
!
ip cef
Router2#

In this example, you can see that autosecure disabled such services as CDP, finger, SNMP, HTTP server, etc. In some environments, disabling CDP can break certain network management platforms, as can disabling inbound SNMP, so be careful when using this feature to ensure that you don't inadvertently affect your network.

Although autosecure is not the magic bullet of hardening Cisco routers, it certainly does a good job of securing the router compared to using the default configuration settings. If faced with a decision of having no security features enabled or using the autosecure feature, then we recommend using the autosecure feature.

In addition to the default behavior, you can also use a number of keywords to modify the autosecure script. See Table 27-1 for more information.

Table 27-1. Autosecure optional keywords
Keyword Description
management Only secure the management plane (e.g., SNMP, logging, etc.).
forwarding Only secure the forwarding plane (e.g., CEF, CBAC, TCP intercept, etc.).
no-interactive Don't prompt for interactive configurations.
Full User will be prompted for all interactive configurations (default).
Ntp Specifies to configure NTP service in the autosecure script.
Login Specifies to configure the login feature in the autosecure script.
Ssh Specifies to enable SSH in the autosecure script.
Firewall Specifies to enable the Firewall feature in the autosecure script.
tcp-intercept Specifies to enable TCP Intercept in the autosecure script.