################################################################################
# Securing Low-End Cisco Routers                                               #
# (c) spender 2000                                                             #
# ---------------------------------------------------------------------------- #
# greetz to tekneeq, rag, bansh33, ch1ckie (she's soooo cute!!!), boda (gotcha #
# again), negrox (just cuz u asked me), trumpet, v9 (i lub u), everyone from   #
# ACPO, specially tashie..she's soo nice!, mrwhit3, bogey (ur still muh bitch) #
# axtrex (sorry i almost forgot u), sys-edit, and any of the rest of u who     #
# have put up with my crap...special greetz tho those of u who mail me bout    #
# my docs...makes a little boy feel all warm and tingly;)                      #
################################################################################
                    
 Table of Contents 
--------------------------
I.    Introduction
II.   Local Security
III.  Network Security
IV.   Conclusion
V.    Contact Me


 I.  Introduction
--------------------------
Ok, welp my 3rd public doc...in case u haven't read the other ones, i'm sure
u can find them on packetstorm.  They've got the names of ipchains.txt and
Sysctl.sh.  I'm kinda bored right now, and a little messed up..i saw that
guy on TV that wrestles crocodiles and grabs snakes by their tail and watches
them spit venom into his eyes...and it was kinda funny.  mebbe i'll see some
of u at the sanitarium tour on july 4th...(mebbe if i can get some federal
agents or something to escort me..that'd be neato;) ) oh, and go see gone in
60 seconds...it was a good movie imo...lots of blowing up stuff and crashes
and CARS...lots and lots of CARS..and of course angelina jolie...and well i'm
just not gonna go there=P (h0tt!) oh..and while i'm here, since my interview
isn't gonna be out for a while, lemme say that i'm looking for whores..lots of
em (no not real ones).  if ya wanna chat for a little..come find me on EFnet,
under nick spender-, or spender_ (not spender) ;)  so anywayz, back on subject
here...i wrote this doc partially out of my disgust.....errr ok there's no 
way out of this.  Rant time.  It's COMPLETELY ridiculous that for a user such
as myself to update buggy/exploitable software (IOS) currently on my routers,
i haveta pay CISCO a large sum of money (i was told $2000/yr).  This is 
completely preposterous that i have to pay so much money for an "incomplete"
product, and then to update it to a less "incomplete" state, i have to shell
out more money...and then when i got to that point, pay more money in a few
months to update it yet again because of some programmer's mistakes.  Since
when does an error on the part of the company result in ME giving THEM money?
it's ridiculous!  I can see them making ppl pay for hardware upgrades, but
REALLY how much does it cost for them to shell out another software update?
end users have paid out their ears already, and the only reason they pay these
ridiculous prices is because it's their business that's paying for it.  If u
can give the boss pretty pictures showing how this'll help them out, they're
all for it, because the don't know what the heck it all means.  It's pitiful
that these people are so money hungry....*sigh*  </rant>  Anywayz, for
those of us who don't have beaucoup bucks...(i've got a cisco 2514)...we don't
have the money for all the fancy upgrades or newest models...and many isps and
such don't...it's a shame that to protect our networks we have to pay more 
money to update an inadequate system.  The information applied in this document
will apply to virtually any Cisco Router, but is specifically written for ones
with IOS versions less than 11.  But anwayz, there is still some things
you can do with low-end Cisco routers to enhance local security and network
security.  This document aims to accomplish that.  It assumes that you
have some experience in working with routers, ie knowing that the first rule
in a list takes precedence.

 II.  Local Security
--------------------------------
 First thing to a secure router is having secure passwords of course.  Make
 em long, and random...i like 32bit hex values for my passes;)  make sure
 that your password is encrypted correctly using MD5 encryption.  the simple
 command "enable secret" should do the trick..it'll set your privileged 
 password and encrypt it.  This however, provides no security against 
 sniffed passwords sent across telnet sessions to the router.  Cisco was
 grateful enough to make routers that didn't have any sort of encrypted
 remote login..such as ssh or kerberized telnet.  so in some cases, unless
 you need it, it may be best to disable telnet access to the router.  This
 can be done with the command "transport input none" done from the
 configuration menu...which is accessed by typing "configure".  While i'm on
 the issue of commands, "show" is helpful in showing the statistics of various
 aspects of your router, and using the character "?" in commands displays help
 for that command, or when done by itself, gives a list of commands that can 
 be entered in the current menu.  enable tcp keepalives on the router with
 the command "service tcp-keep-alives-in" to prevent ghost connections.  keep
 management services such as SNMP disabled unless you really need them.
 Disable any services running that aren't going to be used.  Here's the
 commands i used to disable services on my router:
 no service finger          #gives too much information
 no ntp enable              #not needed
 no cdp running             #gives too much information
 no cdp enable              #gives too much information
 no service tcp-small-servers #disables echo,chargen,discard
 no service udp-small-servers #disables echo,chargen,discard
 some of these are done from the interface configuration menu, while others
 are done through the configuration menu.
 
 III.  Network Security
--------------------------------
 One of the areas to focus on for low-end routers as far as network security
 is setting up ACLs to prevent at least some spoofed attacks. Using the
 access-list command...these can be configured.  for my router, the following
 configuration worked to prevent packets from certain ip ranges.
 (done from the configure menu)
 access-list 100 deny ip 127.0.0.0 0.255.255.255 any
 access-list 100 deny ip 10.0.0.0 0.255.255.255 any
 access-list 100 deny ip 224.0.0.0 31.255.255.255 any
 access-list 100 deny ip host 0.0.0.0 any
 access-list 100 deny ip host 255.255.255.255 any
 access-list 100 deny ip 192.168.0.0 0.0.255.255 any
 access-list 100 deny ip 172.16.0.0 0.0.255.255 any
 access-list 100 deny ip yoursubnethere yoursubnetmaskhere any
 access-list 100 permit ip any any
 then after doing a "interface ethernet 0" or whatever your external ifaces
 are for your router is/are...the following command binds it to the router
 input.
 ip access-group 100 in
 There u go...sucker will be purrin like a kitty.  
 If you want to keep packet kiddies from working off your network, impliment
 a ACL to allow only ip packets out with source addresses of your subnet.  This
 won't stop them from spoofing another host in your network, but it sure 
 stops them from spoofing any other host.  something to the effect of:
 access-list 101 deny ip any any
 access-list 101 permit ip yoursubnethere yoursubnetmaskhere any
 ip access-group 101 out
 should do the trick.
 To keep packets with an unreachable destination from entering your network
 the command:
 ip route 0.0.0.0 0.0.0.0 null 0 255
 should do it.
 Now, while you're here....u can add to your access-list by blocking out
 all incoming IGMP packets...u don't need em anywayz(and fragmented ones
 love being tossed at windows machines) so we add a rule like..
 access-list 100 deny igmp any any
 to our list
 Now, to be protected against smurf attacks....a command like:
 no ip directed-broadcast
 should be done on all external ifaces (on my router, interface ethernet 0)
 and this will keep ppl from using your broadcast as an amplifier.
 While you're at it, disable source routing options on the router, as they're
 never used for any legitimate purpose.  "no ip source-route" should do the
 trick.  Being as ICMP redirect packets aren't used legitimately either, they
 should be denied by the router as well.  This can be done with the following:
 access-list 100 deny icmp any any redirect.
 As far as flooding is concerned, there's not much low-end routers can do.
 Just about the only command that can help here is "fair-queue" which is 
 done at the interface configuration menu.  To prevent the router from dying
 from extreme flooding, the command "scheduler interval 500" should help...
 it makes sure that system tasks are executed at the minimum of once every
 500ms.  And that's about all as far as network security is concerned.
 The newer routers/IOS version have a bunch of new nifty features to help
 in these regards, but that's out of the scope of this document, of course.
 
 IV.  Conclusion
-------------------------------- 
 Hopefully i've helped some of you lazy sysadmins to configure your
 routers properly, because it's your fault that we've got all these problems
 with ip spoofing...smurfs..etc.  And double shame on the ISPs, etc, who
 are notified of these problems and fail to respond... Shit, if a 17 yr old
 kid can figure out how to configure a router in a day, these guys who are
 getting paid all the money shure as hell should know.  I should commend
 cisco at least for providing their users with documents on how to secure
 their routers...so they don't haveta go elsewhere for them.  i found them
 to be inaccurate and incomplete in several areas, so i decided to write this
 doc.  Besides, wouldn't ya rather hear it from a bright young crackah 
 like myself?;)
 
 V.  Contact Me
--------------------------------
 Email: spender@exterminator.net (yes i LOVE email)
 IRC: spender_ or spender-