Cisco – Cisco AutoSecure Feature

How To Secure Your Cisco Router Using Cisco AutoSecure Feature?The Cisco AutoSecure feature is available to all IOS version 12.3 and above and supported on all hardware platforms, including all newer Cisco 870, 880, 1800, 1900, 2800, 2900, 3800 and 3900 series routers.
To maximize flexibility the Cisco AutoSecure command supports two different modes depending on your needs and flexibility required:
AutoSecure Interactive Mode: This mode prompts the user with options to enable/disable services and other security features supported by the IOS version the router is running.
AutoSecure Non-Interactive Mode: Automatically executes the Cisco AutoSecure command using the recommended Cisco default settings.

1. Disables the following Global Services:
• Finger
• PAD
• Small Servers
• Bootp
• HTTP service
• Identification Service
• CDP
• NTP
• Source Routing

2. Enables the following Global Services:
• Password-encryption service
• Tuning of scheduler interval/allocation
• TCP synwait-time
• TCP-keepalives-in and tcp-kepalives-out
• SPD configuration
• No ip unreachables for null 0

3. Disables the following services per interface:
• ICMP
• Proxy-Arp
• Directed Broadcast
• Disables MOP service
• Disables icmp unreachables
• Disables icmp mask reply messages.

4. Provides logging for security:
• Enables sequence numbers & timestamp
• Provides a console log
• Sets log buffered size
• Provides an interactive dialogue to configure the logging server ip address.

5. Secures access to the router:
• Checks for a banner and provides facility to add text to automatically configure:
• Login and password
• Transport input & output
• Exec-timeout
• Local AAA
• SSH timeout and ssh authentication-retries to minimum number
• Enable only SSH and SCP for access and file transfer to/from the router
• Disables SNMP If not being used

6. Secures the Forwarding Plane:
• Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available
• Anti-spoofing
• Blocks all IANA reserved IP address blocks
• Blocks private address blocks if customer desires
• Installs a default route to NULL 0, if a default route is not being used
• Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested
• Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image
• Enables NetFlow on software forwarding platforms

 

Ref: Cisco Training Online

Related Posts

Exit mobile version