Let’s break it down, I heard about this feature not too long ago and just wanted to take the time to take a look at it and see what is it all about. In the mean time, I’m rebuilding all my U VMs because I created a new topology (CCIE Collaboration LAB on November 26th), but more on that later. Network needs to be secured, that is what we keep hearing from customers/clients everywhere, and why not make it easier to use and apply.
Looking at the following link to get a bit more of information on the topic: http://www.cisco.com/c/en/us/products/collateral/security/ios-network-foundation-protection-nfp/prod_white_paper09186a00801dbf61.html
In case you need to determine if your device supports this feature make sure to take a look at the Cisco Feature Navigator and look up by Feature: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
**We will be looking at the configuration from a router perspective
What Cisco AutoSecure Does? Cisco AutoSecure looks to address to secure your Management and Forwarding Plane of your device. Basically it disables services that are often not used, insecure interfaces and administrative access. It also enables CEF (Cisco Express Forwarding)
What are AutoSecure Modes? Based on the With paper AutoSecure supports interactive and non-interactive modes… So what does that mean? Just at it sounds, Interactive mode prompts the user on a different sets of options and the user selects what he/she considers is a good idea to have in order to secure the device. Non-intercative mode is a default set mode based on best practices.
Now lets look at the syntax and play a bit with Interactive Mode a bit: From EXEC mode on your router type:
** R1#auto secure ?**
** firewall AutoSecure Firewall**
** forwarding Secure Forwarding Plane**
** full Interactive full session of AutoSecure**
** login AutoSecure Login**
** management Secure Management Plane**
** no-interact Non-interactive session of AutoSecure**
** ntp AutoSecure NTP**
** ssh AutoSecure SSH**
Lets play with the Management first and see what is all that about: On this command I just hit enter when it asked me if my router was connected to the Internet, the default was no:
**R1#auto secure management full**
** --- AutoSecure Configuration ---**
***** AutoSecure configuration enhances the security of**
**the router, but it will not make it absolutely resistant**
**to all security attacks *****
**AutoSecure will modify the configuration of your device.**
**All configuration changes will be shown. For a detailed**
**explanation of how the configuration changes enhance security**
**and any possible side effects, please refer to Cisco.com for**
**Autosecure documentation.**
**At any prompt you may enter '?' for help.**
**Use ctrl-c to abort this session at any prompt.**
**Gathering information about the router for AutoSecure**
**Is this router connected to internet? :**
The system shows different disabled services and it encourages you to create a login Banner, a good practice that I have seen very smart Engineers use. Here is the result or the services disabled:
**Securing Management plane services...**
**Disabling service finger**
**Disabling service pad**
**Disabling udp & tcp small servers**
**Enabling service password encryption**
**Enabling service tcp-keepalives-in**
**Enabling service tcp-keepalives-out**
**Disabling the cdp protocol**
**Disabling the bootp server**
**Disabling the http server**
**Disabling the finger service**
**Disabling source routing**
**Disabling gratuitous arp**
Here is a sample Security Banner to be shown at every access to device. Modify it to suit your enterprise requirements.
**Authorized Access only**
** This system is the property of So-&-So-Enterprise.**
** UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.**
** You must have explicit permission to access this**
** device. All activities performed on this device**
** are logged. Any violations of access policy will result**
** in disciplinary action.**
Enter the security banner {Put the banner between k and k, where k is any character}:
After you finish dealing with this part it will ask you to create a new Enable Secret
**Enter the new enable secret:**
**Confirm the enable secret :**
We noticed that the Enable secret has a password complexity, the old Cisco123 is not liked by the new AutoSecure, lets come up with a more secure one:
**Enter the new enable secret:**
**Confirm the enable secret :**
**Enable password is not configured or its length**
**is less than minimum no. of characters configured**
**Enter the new enable password:**
**Confirm the enable password:**
Now after you enter the Enable Secret it will ask you more questions, it will ask you about the Admin user of the router, the maximum time the console/TTY lines will be inactive if it detects a login attack is occurring, the timeout of inactivity. SSH, a hostname and a domain name.
**Configuration of local user database**
**Enter the username: admin**
**Enter the password:**
**Confirm the password:**
**Configuring AAA local authentication**
**Configuring Console, Aux and VTY lines for**
**local authentication, exec-timeout, and transport**
**Securing device against Login Attacks**
**Configure the following parameters**
**Blocking Period when Login Attack detected: 10**
**Maximum Login failures with the device: 10**
**Maximum time period for crossing the failed login attempts: 10**
**Configure SSH server? : yes**
**Enter the hostname: r1-autosecure**
**Enter the domain-name: collabengineer.com**
This is what happens when if starts building the configuration:
**Configuring interface specific AutoSecure services**
**Disabling the following ip services on all interfaces:**
** no ip redirects**
** no ip proxy-arp**
** no ip unreachables**
** no ip directed-broadcast**
** no ip mask-reply**
**Disabling mop on Ethernet interfaces**
This is the configuration generated:
**no service finger**
**no service pad**
**no service udp-small-servers**
**no service tcp-small-servers**
**service password-encryption**
**service tcp-keepalives-in**
**service tcp-keepalives-out**
**no cdp run**
**no ip bootp server**
**no ip http server**
**no ip finger**
**no ip source-route**
**no ip gratuitous-arps**
**no ip identd**
**banner motd ^CThis system is the property of So-&-So-Enterprise.**
** UNAUT**
**security passwords min-length 6**
**security authentication failure rate 10 log**
**enable secret 5 $1$I8Xj$VlmBfjtLbbiYzle9ASnFS0**
**enable password 7 12361716010E0A0A0A7A**
**username admin password 7 10611B18161214052C55**
**aaa new-model**
**aaa authentication login local_auth local**
**line con 0**
** login authentication local_auth**
** exec-timeout 5 0**
**transport output telnet**
**line aux 0**
** login authentication local_auth**
** exec-timeout 10 0**
** transport output telnet**
**line vty 0 4**
** login authentication local_auth**
** transport input telnet**
**login block-for 10 attempts 10 within 10**
**hostname r1-autosecure**
**ip domain-name collabengineer.com**
**crypto key generate rsa general-keys modulus 1024**
**ip ssh time-out 60**
**ip ssh authentication-retries 2**
**line vty 0 4**
** transport input ssh telnet**
**service timestamps debug datetime msec localtime show-timezone**
**service timestamps log datetime msec localtime show-timezone**
**logging facility local2**
**logging trap debugging**
**service sequence-numbers**
**logging console critical**
**logging buffered**
**interface FastEthernet0/0**
** no ip redirects**
** no ip proxy-arp**
** no ip unreachables**
** no ip directed-broadcast**
** no ip mask-reply**
** no mop enabled**
**interface FastEthernet0/1**
** no ip redirects**
** no ip proxy-arp**
** no ip unreachables**
** no ip directed-broadcast**
** no ip mask-reply**
** no mop enabled**
**!**
**end**
Apply this configuration to running-config? :
And is very kind to ask you if you want to apply the configuration…
Applying the config generated to running-config
**R1#**
***Mar 1 00:19:51.415: %AUTOSEC-5-ENABLED: AutoSecure is configured on the device**
**R1#**
Now, as a very useful command on the router we just applied AutoSecure, you can use the following:
R1#sh auto secure config
I hope this gives you ideas on how to use this nice feature, from any routers you can go ahead and run AutoSecure for the following:
**R1#auto secure ?**
** firewall AutoSecure Firewall**
** forwarding Secure Forwarding Plane**
** full Interactive full session of AutoSecure**
** login AutoSecure Login**
** management Secure Management Plane**
** no-interact Non-interactive session of AutoSecure**
** ntp AutoSecure NTP**
** ssh AutoSecure SSH**
** <cr>**
Thank you
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration) With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.