top of page

Secure Our Network Not So Easy

Secure our network not so easy. But we have to block each & every loophole in our network. As per PCI [Payment Card Industry] standard we have to secure every device which in our domain.

As cisco router and switches given these features in IOS.

This complex world our network environments securing our network routers & switches can be a daunting task, especially when there are so many CLI commands and parameters with different security implications for our Cisco device.

In cisco device which port has to block and which has to open is not an easy task….but Cisco made easy task for cisco router as Cisco AutoSecure and this feature is available all IOS version 12.3 and above and supported on all hardware platforms, including all newer Cisco 870, 880, 1800, 1900, 2800, 2900, 3800 and 3900 series routers.

I searched all cisco sites and read all documents on cisco and found that Autosecure is available in two different modes depending on our needs and flexibility.

1] AutoSecure Interactive Mode: This mode prompts the user with options to enable/disable services and other security features supported by the IOS version the router is running.

2] AutoSecure Non-Interactive Mode: Automatically executes the Cisco AutoSecure command using the recommended Cisco default settings (Cisco’s best security practices).

But, we have to enable AutoSecure Interactive mode which gives us greater control over security-related features than the non-interactive mode.

Disable following services globally on CISCO Router or Switches-

  • CDP

  • NTP

  • Finger

  • PAD

  • Small Servers

  • Bootp

  • HTTP service

  • Identification Service

Enables the following Services:

  • Password-encryption service

  • Tuning of scheduler interval/allocation

  • TCP synwait-time

  • TCP-keepalives-in and tcp-kepalives-out

  • No IP unreachables for null 0

  • Enables sequence numbers & timestamp

  • Enable Logging with logging buffered size.

  • Configure the logging server IP address [Syslog Server]

  • Login and password

  • Transport input & output

  • Exec-timeout on SSH

  • Tacacs or Radius

  • Enable only SSH / SSH timout and ssh authentication-retries to minimum number

  • Disables SNMP If not using

Disables the following services on interface:

  • ICMP

  • Proxy-Arp

  • Directed Broadcast

  • Disable TCP Small-services

  • Disable UDP Small-Services.

  • Disables icmp unreachables

  • Disables icmp mask reply messages.

Below is the configuration on Cisco Router

explore all available options of the Cisco AutoSecure command, use the auto secure command, followed by a question mark

 
bottom of page