AutoSecure

AutoSecure is a new security feature in Cisco IOS 12.2(18)S and 12.3(1). Up to this point in the chapter, you have had to manually disable services to protect your router. This is okay if you understand the Cisco IOS configuration process and are familiar with all the things that you must disable and why you should disable them.

However, for a novice administrator, this becomes a difficult task. AutoSecure removes the complexity by using a simple script that asks basic questions about the use of the router, and then creates a configuration file that will be used to secure the router. This is very similar to the use of the System Configuration dialog script that some administrators use to put a basic configuration on their router. The difference between this and AutoSecure is that AutoSecure focuses only on security-related services.

The AutoSecure feature provides the following security functions:

It disables all IP services that can be exploited by an attack.
It enables IP services that can help you prevent attacks.
It configures minimum password-length restrictions, preventing passwords such as cisco and admin from being configured.
It generates syslog messages when the maximum number of unsuccessful authentication attempts has been exceeded.

On the surface, the use of AutoSecure sounds simple, but you need to understand how AutoSecure works, as well as its restrictions, before you use it.

Securing Planes

AutoSecure's security focuses on two basic areas: management and forwarding. The next two sections cover these areas.

The Management Plane

AutoSecure can secure the management plane of your router by disabling global and interface services. Basically, everything I have discussed until this point of the chapter is included in the AutoSecure management plane, including securing access to the router and logging functions. Here is a list of the global services AutoSecure disables:

BootP
CDP
Finger
HTTP server
IdentD protocol
NTP (Network Time Protocol)
PAD
Source routing
TCP small servers
UDP small servers

NTP is the only service I have not discussed in this chapter. I discuss NTP in more depth in Chapter 18, "Logging Events."

Here is a list of the interface services that AutoSecure disables:

Directed broadcasts
ICMP mask replies
ICMP redirects
ICMP unreachables
MOP
Proxy ARP

Note that if you need any of these services, like HTTP, you need to re-enable them manually after running AutoSecure.

Besides disabling the previous services, AutoSecure can enable certain services to increase your security, including the following:

The service password-encryption command is executed, encrypting unencrypted passwords. This command is covered in Chapter 3.
The service tcp-keepalives-in and service tcp-keepalives-out commands are executed to remove abnormally terminated TCP connections.
Secure Copy (SCP) is set up in tandem with SSH to provide secure access to and from the router.
For all lines, the login and password commands are configured.
For VTY connections, only Telnet and SSH are allowed through the transport input and transport output commands.
If AAA is not set up, AutoSecure can create a local authentication database with usernames and passwords, to give you more control over router access.
A login text banner is created, if one does not already exist.
SNMP is disabled (if not needed), and community strings that are configured with either public or private are removed.
Logging on the console port and the internal buffer is enabled, sequence numbers and time stamps are added to all logging and debug messages, and trap logging levels are set to debug (logging is discussed in Chapter 18).

From this long list of services that are disabled and enabled, you can see that AutoSecure performs a lot of tasks for you from a simple menu-driven script.

The Forwarding Plane

AutoSecure also can secure the forwarding plane of your Cisco router. This is a marketing term used to describe how AutoSecure will configure security features that affect traffic flowing through your router. Here are some of the things that AutoSecure configures for the forwarding plane:

For routers that support Context-based Access Control (CBAC), AutoSecure enables this stateful firewall feature on your external interface. CBAC is discussed in Chapter 9, "Context-Based Access Control."
AutoSecure implements antispoofing by blocking reserved addresses defined by the IANA. This is done by creating an extended access list. These reserved addresses can be examined at http://www.iana.org/assignments/ipv4-address-space. Note that these addresses are subject to change, so you should compare AutoSecure's list of ACL statements with those in the previous URL. Extended ACLs are discussed in Chapter 7, "Basic Access Lists."
Private IP address spaces defined in RFC 1918 from external sources are blocked.
CEF is enabled on CEF-supported routers, which helps the router perform better when DoS attacks such as TCP SYN flood attacks are occurring.
Unicast Reverse Path Forwarding is implemented to help prevent packet spoofing. This feature is covered in Chapter 15, "Routing Protocol Protection."
TCP Intercept is configured, if available, to reduce the impact of DoS attacks on your internal resources. TCP Intercept is covered in Chapter 17, "DoS Protection."

For those features that need to be implemented on your perimeter router's public interface, such as CBAC and extended ACLs, AutoSecure prompts you for the necessary configuration information.

CAUTION

AutoSecure does not guarantee that it completely secures your router. It is actually a good tool to use when you originally are setting up your router to put a base security configuration on it. However, you will want to implement the many other features in this book to completely secure your router and the traffic behind your router, especially if your router is functioning as a perimeter router or firewall solution.

AutoSecure Configuration

Now that you have a basic understanding of what AutoSecure can do for you, let us discuss how you use this script and how to verify its security configuration. You probably will perform three basic tasks:

Execute the AutoSecure script.
Verify the script's secured configuration.
Use optional commands to increase your security solution.

CAUTION

Before you begin the AutoSecure script to automatically secure your router, make sure that you back up its current configuration to an SCP server. When the script completes, your old configuration is gone. I discuss the use of SCP in Chapter 5.

Starting up AutoSecure

AutoSecure is meant to be run on a router with a base, or initial configuration. If you have a router that already has a configuration on it, with many security features enabled, some features of AutoSecure might not be enabled because of configuration conflictions or restrictions. Therefore, follow these steps to ensure the proper operation of AutoSecure:

Step 1. Either put a very basic configuration on your router or use the System Configuration dialog with the setup privileged EXEC command.

Step 2. Use AutoSecure.

Step 3. Complete the configuration of your router, including the implementation of other security features.

To start up AutoSecure, you use the privileged EXEC auto secure command, shown here:


Router(config)# auto secure [management | forwarding] [no-interact]

These are the options that you can enter:

No options? AutoSecure secures both the management and forwarding planes, prompting you for the necessary information.
management? AutoSecure performs security configurations for only the management plane, prompting you for the necessary information.
forwarding? AutoSecure performs security configurations for only the forwarding plane, prompting you for the necessary information.

For all three of these configuration options, if you include the no-interact parameter, the router uses all the defaults for parameters and does not prompt you for any information.

NOTE

The AutoSecure script functions basically the same as the System Configuration dialog box. As you are going through the script, the script prompts you for specific information. Information in brackets ([]) is default values and is accepted when you press the Enter key on an empty line. There is no method of returning to a question if you answer it incorrectly; in this case, abort the script with Ctrl-c.

Going Through a Sample Script

To help you understand how to interact with the AutoSecure script, this section goes through an example. This example uses a 1720 router with an internal FastEthernet0 interface and an external Ethernet0 interface. The 1720 has the Cisco IOS Firewall feature set installed. Example 4-22 shows the script configuring both the management and forwarding planes. An explanation of the most important lines follows.

Example 4-22. How to Use AutoSecure


Router# auto secure

                --- AutoSecure Configuration ---



*** AutoSecure configuration enhances the security of

the router but it will not make the router absolutely secure

from all security attacks ***



All the configuration done as part of AutoSecure will be

shown here. For more details of why and how this configuration

is useful, and any possible side effects, please refer to Cisco

documentation of AutoSecure.

At any prompt you may enter '?' for help.

Use ctrl-c to abort this session at any prompt.



If this device is being managed by a network management station,

AutoSecure configuration may block network management traffic.

Continue with AutoSecure? [no]: yes                               (1)



Gathering information about the router for AutoSecure



Is this router connected to internet? [no]: yes                   (2)

Interface     IP-Address    OK? Method Status                Protocol

Ethernet0     unassigned    YES NVRAM  administratively down down

FastEthernet0 192.168.1.254 YES NVRAM  up                    up

Enter the interface name that is facing internet: Ethernet0



Securing Management plane services..                              (3)



Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol



Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp



Here is a sample Security Banner to be shown

at every access to device. Modify it to suit your

enterprise requirements.



Authorized Access only

  This system is the property of So-&-So-Enterprise.

  UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.

  You must have explicit permission to access this

  device. All activities performed on this device

  are logged and violations of this policy result

  in disciplinary action.



Enter the security banner {Put the banner between                 (4)

k and k, where k is any character}:

+

This system is the property of the Deal Group, Inc.

Unauthorized access to this device is prohibited.

You must have explicit permission to access this

device. All activities performed on this device are

logged and violations of this policy result in

disciplinary, civil, and criminal action.

+

Enable secret is either not configured or                         (5)

 is same as enable password

Enter the new enable secret: ciscocisco

Enable password is not configured or its length

is less than minimum no. of characters configured

Enter the new enable password: sanfransanfran



Configuration of local user database                              (6)

Enter the username: richard

Enter the password: EmilyAlina

Configuring aaa local authentication

Configuring console, Aux and vty lines for

local authentication, exec-timeout, transport



Configure SSH server? [yes]: yes                                  (7)

Enter the hostname: Bullmastiff

Enter the domain-name: quizware.com



Configuring interface specific AutoSecure services                (8)

Disabling the following ip services on all interfaces:



 no ip redirects

 no ip proxy-arp

 no ip unreachables

 no ip directed-broadcast

 no ip mask-reply



Securing Forwarding plane services..                              (9)



Enabling CEF (it might have more memory requirements on some

     low-end platforms)

Configuring the named acls for Ingress filtering



autosec_iana_reserved_block: This block may subject to           (10)

change by iana and for updated list visit

www.iana.org/assignments/ipv4-address-space.

1/8, 2/8, 5/8, 7/8, 23/8, 27/8, 31/8, 36/8, 37/8, 39/8,

41/8, 42/8, 49/8, 50/8, 58/8, 59/8, 60/8, 70/8, 71/8,

72/8, 73/8, 74/8, 75/8, 76/8, 77/8, 78/8, 79/8, 83/8,

84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8,

94/8, 95/8, 96/8, 97/8, 98/8, 99/8, 100/8, 101/8, 102/8,

103/8, 104/8, 105/8, 106/8, 107/8, 108/8, 109/8, 110/8,

111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8,

119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8,

197/8, 201/8

autosec_private_block:                                           (11)

10/8, 172.16/12, 192.168/16

autosec_complete_block: This is union of above two and           (12)

the addresses of source multicast, class E addresses

and addresses that are prohibited for use as source.

source multicast (224/4), class E(240/4), 0/8, 169.254/16,

192.0.2/24, 127/8.



Configuring Ingress filtering replaces the existing

acl on external interfaces, if any, with ingress

filtering acl.



Configure Ingress filtering on edge interfaces? [yes]: yes       (13)



[1] Apply autosec_iana_reserved_block acl on all edge interfaces

[2] Apply autosec_private_block acl on all edge interfaces

[3] Apply autosec_complete_bogon acl on all edge interfaces

Enter your selection [3]: 3                                      (14)

Enabling unicast rpf on all interfaces connected to internet

Configure CBAC Firewall feature? [yes/no]: yes                   (15)



This is the configuration generated:                             (16)

no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

banner +

This system is the property of the Deal Group, Inc.

Unauthorized access to this device is prohibited.

You must have explicit permission to access this

device. All activities performed on this device are

logged and violations of this policy result in

disciplinary, civil, and criminal action.

+

security passwords min-length 6

security authentication failure rate 10 log

enable secret 5 $1$1q95$10TM0DLUhsUo.C37dF2WZ/

enable password 7 021505550D140E2F5F4F071F17161C

username richard password 7 03175A050C0032495D08170F18010E

aaa new-model

aaa authentication login local_auth local

line console 0

 login authentication local_auth

 exec-timeout 5 0

 transport output telnet

line aux 0

 login authentication local_auth

 exec-timeout 10 0

 transport output telnet

line vty 0 4

 login authentication local_auth

 transport input telnet

hostname Bullmastiff

ip domain-name quizware.com

crypto key generate rsa general-keys modulus 1024

ip ssh time-out 60

ip ssh authentication-retries 2

line vty 0 4

transport input ssh telnet

service timestamps debug datetime localtime show-timezone msec

service timestamps log datetime localtime show-timezone msec

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

int Ethernet0

 no ip redirects

 no ip proxy-arp

 no ip unreachables

 no ip directed-broadcast

 no ip mask-reply

int FastEthernet0

 no ip redirects

 no ip proxy-arp

 no ip unreachables

 no ip directed-broadcast

 no ip mask-reply

ip cef

ip access-list extended autosec_iana_reserved_block

 deny ip 1.0.0.0 0.255.255.255 any

 deny ip 2.0.0.0 0.255.255.255 any

 deny ip 5.0.0.0 0.255.255.255 any

 deny ip 7.0.0.0 0.255.255.255 any

 deny ip 23.0.0.0 0.255.255.255 any

 deny ip 27.0.0.0 0.255.255.255 any

 deny ip 31.0.0.0 0.255.255.255 any

 deny ip 36.0.0.0 0.255.255.255 any

 deny ip 37.0.0.0 0.255.255.255 any

 deny ip 39.0.0.0 0.255.255.255 any

 deny ip 41.0.0.0 0.255.255.255 any

 deny ip 42.0.0.0 0.255.255.255 any

 deny ip 49.0.0.0 0.255.255.255 any

 deny ip 50.0.0.0 0.255.255.255 any

 deny ip 58.0.0.0 0.255.255.255 any

 deny ip 59.0.0.0 0.255.255.255 any

 deny ip 60.0.0.0 0.255.255.255 any

 deny ip 70.0.0.0 0.255.255.255 any

 deny ip 71.0.0.0 0.255.255.255 any

 deny ip 72.0.0.0 0.255.255.255 any

 deny ip 73.0.0.0 0.255.255.255 any

 deny ip 74.0.0.0 0.255.255.255 any

 deny ip 75.0.0.0 0.255.255.255 any

 deny ip 76.0.0.0 0.255.255.255 any

 deny ip 77.0.0.0 0.255.255.255 any

 deny ip 78.0.0.0 0.255.255.255 any

 deny ip 79.0.0.0 0.255.255.255 any

 deny ip 83.0.0.0 0.255.255.255 any

 deny ip 84.0.0.0 0.255.255.255 any

 deny ip 85.0.0.0 0.255.255.255 any

 deny ip 86.0.0.0 0.255.255.255 any

 deny ip 87.0.0.0 0.255.255.255 any

 deny ip 88.0.0.0 0.255.255.255 any

 deny ip 89.0.0.0 0.255.255.255 any

 deny ip 90.0.0.0 0.255.255.255 any

 deny ip 91.0.0.0 0.255.255.255 any

 deny ip 92.0.0.0 0.255.255.255 any

 deny ip 93.0.0.0 0.255.255.255 any

 deny ip 94.0.0.0 0.255.255.255 any

 deny ip 95.0.0.0 0.255.255.255 any

 deny ip 96.0.0.0 0.255.255.255 any

 deny ip 97.0.0.0 0.255.255.255 any

 deny ip 98.0.0.0 0.255.255.255 any

 deny ip 99.0.0.0 0.255.255.255 any

 deny ip 100.0.0.0 0.255.255.255 any

 deny ip 101.0.0.0 0.255.255.255 any

 deny ip 102.0.0.0 0.255.255.255 any

 deny ip 103.0.0.0 0.255.255.255 any

 deny ip 104.0.0.0 0.255.255.255 any

 deny ip 105.0.0.0 0.255.255.255 any

 deny ip 106.0.0.0 0.255.255.255 any

 deny ip 107.0.0.0 0.255.255.255 any

 deny ip 108.0.0.0 0.255.255.255 any

 deny ip 109.0.0.0 0.255.255.255 any

 deny ip 110.0.0.0 0.255.255.255 any

 deny ip 111.0.0.0 0.255.255.255 any

 deny ip 112.0.0.0 0.255.255.255 any

 deny ip 113.0.0.0 0.255.255.255 any

 deny ip 114.0.0.0 0.255.255.255 any

 deny ip 115.0.0.0 0.255.255.255 any

 deny ip 116.0.0.0 0.255.255.255 any

 deny ip 117.0.0.0 0.255.255.255 any

 deny ip 118.0.0.0 0.255.255.255 any

 deny ip 119.0.0.0 0.255.255.255 any

 deny ip 120.0.0.0 0.255.255.255 any

 deny ip 121.0.0.0 0.255.255.255 any

 deny ip 122.0.0.0 0.255.255.255 any

 deny ip 123.0.0.0 0.255.255.255 any

 deny ip 124.0.0.0 0.255.255.255 any

 deny ip 125.0.0.0 0.255.255.255 any

 deny ip 126.0.0.0 0.255.255.255 any

 deny ip 197.0.0.0 0.255.255.255 any

 deny ip 201.0.0.0 0.255.255.255 any

 permit ip any any

remark This acl might not be up to date. Visit

     www.iana.org/assignments/ipv4-address-space

     for update list

exit

ip access-list extended autosec_private_block

 deny ip 10.0.0.0 0.255.255.255 any

 deny ip 172.16.0.0 0.15.255.255 any

 deny ip 192.168.0.0 0.0.255.255 any

 permit ip any any

exit

ip access-list extended autosec_complete_bogon

 deny ip 1.0.0.0 0.255.255.255 any

 deny ip 2.0.0.0 0.255.255.255 any

 deny ip 5.0.0.0 0.255.255.255 any

 deny ip 7.0.0.0 0.255.255.255 any

 deny ip 23.0.0.0 0.255.255.255 any

 deny ip 27.0.0.0 0.255.255.255 any

 deny ip 31.0.0.0 0.255.255.255 any

 deny ip 36.0.0.0 0.255.255.255 any

 deny ip 37.0.0.0 0.255.255.255 any

 deny ip 39.0.0.0 0.255.255.255 any

 deny ip 41.0.0.0 0.255.255.255 any

 deny ip 42.0.0.0 0.255.255.255 any

 deny ip 49.0.0.0 0.255.255.255 any

 deny ip 50.0.0.0 0.255.255.255 any

 deny ip 58.0.0.0 0.255.255.255 any

 deny ip 59.0.0.0 0.255.255.255 any

 deny ip 60.0.0.0 0.255.255.255 any

 deny ip 70.0.0.0 0.255.255.255 any

 deny ip 71.0.0.0 0.255.255.255 any

 deny ip 72.0.0.0 0.255.255.255 any

 deny ip 73.0.0.0 0.255.255.255 any

 deny ip 74.0.0.0 0.255.255.255 any

 deny ip 75.0.0.0 0.255.255.255 any

 deny ip 76.0.0.0 0.255.255.255 any

 deny ip 77.0.0.0 0.255.255.255 any

 deny ip 78.0.0.0 0.255.255.255 any

 deny ip 79.0.0.0 0.255.255.255 any

 deny ip 83.0.0.0 0.255.255.255 any

 deny ip 84.0.0.0 0.255.255.255 any

 deny ip 85.0.0.0 0.255.255.255 any

 deny ip 86.0.0.0 0.255.255.255 any

 deny ip 87.0.0.0 0.255.255.255 any

 deny ip 88.0.0.0 0.255.255.255 any

 deny ip 89.0.0.0 0.255.255.255 any

 deny ip 90.0.0.0 0.255.255.255 any

 deny ip 91.0.0.0 0.255.255.255 any

 deny ip 92.0.0.0 0.255.255.255 any

 deny ip 93.0.0.0 0.255.255.255 any

 deny ip 94.0.0.0 0.255.255.255 any

 deny ip 95.0.0.0 0.255.255.255 any

 deny ip 96.0.0.0 0.255.255.255 any

 deny ip 97.0.0.0 0.255.255.255 any

 deny ip 98.0.0.0 0.255.255.255 any

 deny ip 99.0.0.0 0.255.255.255 any

 deny ip 100.0.0.0 0.255.255.255 any

 deny ip 101.0.0.0 0.255.255.255 any

 deny ip 102.0.0.0 0.255.255.255 any

 deny ip 103.0.0.0 0.255.255.255 any

 deny ip 104.0.0.0 0.255.255.255 any

 deny ip 105.0.0.0 0.255.255.255 any

 deny ip 106.0.0.0 0.255.255.255 any

 deny ip 107.0.0.0 0.255.255.255 any

 deny ip 108.0.0.0 0.255.255.255 any

 deny ip 109.0.0.0 0.255.255.255 any

 deny ip 110.0.0.0 0.255.255.255 any

 deny ip 111.0.0.0 0.255.255.255 any

 deny ip 112.0.0.0 0.255.255.255 any

 deny ip 113.0.0.0 0.255.255.255 any

 deny ip 114.0.0.0 0.255.255.255 any

 deny ip 115.0.0.0 0.255.255.255 any

 deny ip 116.0.0.0 0.255.255.255 any

 deny ip 117.0.0.0 0.255.255.255 any

 deny ip 118.0.0.0 0.255.255.255 any

 deny ip 119.0.0.0 0.255.255.255 any

 deny ip 120.0.0.0 0.255.255.255 any

 deny ip 121.0.0.0 0.255.255.255 any

 deny ip 122.0.0.0 0.255.255.255 any

 deny ip 123.0.0.0 0.255.255.255 any

 deny ip 124.0.0.0 0.255.255.255 any

 deny ip 125.0.0.0 0.255.255.255 any

 deny ip 126.0.0.0 0.255.255.255 any

 deny ip 197.0.0.0 0.255.255.255 any

 deny ip 201.0.0.0 0.255.255.255 any



 deny ip 10.0.0.0 0.255.255.255 any

 deny ip 172.16.0.0 0.15.255.255 any

 deny ip 192.168.0.0 0.0.255.255 any



 deny ip 224.0.0.0 15.255.255.255 any

 deny ip 240.0.0.0 15.255.255.255 any

 deny ip 0.0.0.0 0.255.255.255 any

 deny ip 169.254.0.0 0.0.255.255 any

 deny ip 192.0.2.0 0.0.0.255 any

 deny ip 127.0.0.0 0.255.255.255 any

 permit ip any any

remark This acl might not be up to date.

     Visit www.iana.org/assignments/ipv4-address-space

     for update list

exit

interface Ethernet0

 ip access-group autosec_complete_bogon in

exit

ip access-list extended 100

 permit udp any any eq bootpc

interface Ethernet0

 ip verify unicast source reachable-via rx 100

 exit

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip access-list extended autosec_firewall_acl

 permit udp any any eq bootpc

 deny ip any any

interface Ethernet0

 ip inspect autosec_inspect out

!

end



Apply this configuration to running-config? [yes]: yes           (17)

Applying the config generated to running-config

The name for the keys will be: Bullmastiff.quizware.com

% The key modulus size is 1024 bits

% Generating 1024 bit RSA keys ...[OK]

Bullmastiff#

The following list explains the output from the script in Example 4-22. The numbers on the right side of Example 4-22 correspond to the numbers in the following list:

At the beginning of the script, you are given the instructions and then asked to continue; the default is no.
If the router is connected to the Internet, answer the question yes; you then are shown a list of interfaces and are asked which interface is connected to the Internet. In this example, I entered Ethernet0. If this is an internal router, just answer no to the question.
After answering the public interface question, the AutoSecure script displays which global management services it is disabling.
A sample login banner is displayed, and you are given the opportunity to configure your own. This is similar to using the banner motd command, in which you need a beginning and ending delimiter character. In this example, I used + as the delimiting character.
You must enter an encrypted privileged EXEC password (enable secret) if one is not configured or if it matches the clear-text privileged EXEC password (enable password). You also must enter a clear-text privileged EXEC password.
Next, you are asked to configure one entry in your router's local authentication database, which is used for both console and remote access. In this example, I created an account called richard.
If you want to use SSH, answer yes to this question. If you answer yes, you must enter a hostname and a domain name so that the Cisco IOS can generate an RSA for the SSH encryption keys.
Now that the global management services are completed, you are taken into the interface-specific management services. Here you can see which services automatically are disabled. You do not have to answer any questions here.
When the router completes the management services, it moves on to the forwarding services. If the router supports CEF, this is enabled.
The first filter set up is to block source addresses defined by the IANA. Note that the addresses that the Cisco IOS uses in AutoSecure might not be the most current; therefore, you periodically should check with IANA's web site to verify the Cisco IOS configuration.
The second filter includes private IP source addresses defined in RFC 1918.
The third filter combines the first two filters and adds source multicast addresses, Class E addresses, and 169.254.0.0/24, 0.0.0.0/8, 192.0.2.0/24, and 127.0.0.0/8.
Next, you are asked if you want to use one of the three filters in steps 10, 11, or 12 to be applied inbound on the Internet (public) interface.
If you answer yes to step 13, you are asked which filter you want to apply to the interface. If the interface is not connected directly to the Internet and you are using public addresses, choose 1. However, you will want to go back into the configuration later and add the addresses from Step 12. If you are connected to the Internet, choose option 3.
After unicast reverse path forwarding is enabled, you are asked if you want to configure CBAC on your router. This happens only if you have installed the Cisco IOS Firewall feature set on your router. This sets up a stateful firewall for allowing returning traffic for outbound connections.
You now have answered all of the questions for the AutoSecure configuration process. The script displays the actual Cisco IOS commands that it will execute. Examine these closely to make sure that this is the configuration that you want.
In the last step you are asked if you want to implement this configuration. Answer yes to do so. When you answer yes, if you chose to enable SSH, the Cisco IOS generates RSA encryption keys.

This completes the AutoSecure configuration script. As you can see, this is a lot easier than manually configuring all of these commands individually.

NOTE

I have not discussed many features here that AutoSecure configures for you, including CBAC, CEF, ACLs, and others. These are covered in later chapters in much more depth.

Verifying AutoSecure's Configuration

When you have implemented AutoSecure, you can view the commands that AutoSecure generated with the following command:


Router# show auto secure config

This is the same display shown in Step 16 of the previous demonstration. Note that to execute the show auto secure config command, you must be in privileged EXEC mode.

Using Additional Commands

Two additional commands are a part of AutoSecure:


Router(config)# security passwords min-length length

Router(config)# security authentication failure rate #_of_failures log

The security passwords min-length command specifies the minimum length that passwords must be; this allows you to ensure that passwords are not short, making them more secure and preventing common passwords such as cisco and admin. The default is a minimum length of six characters. If you do not configure a password of the minimum required length, you will see a message like the one in Example 4-23.

Example 4-23. AutoSecure Can Force Passwords to Be a Minimum Length


Bullmastiff(config)# username natalie secret cisco

% Password too short - must be at least 6 characters.

     Password configuration failed

The security authentication failure rate command specifies the maximum number of failed authentication attempts before the router stops any subsequent authentication requests; the router pauses for 15 seconds and then processes new authentication requests. The default threshold for this command is 10 attempts. This is a very useful command in preventing brute force password-guessing attacks.