In today’s complex network environments securing your network routers can be a daunting task, especially when there are so many CLI commands and parameters with different security implications for your Cisco router device.

Thankfully, since Cisco IOS version 12.3 and later, Cisco provides an easy way for administrators to lock down their Cisco router without entering complex commands and parameters. This feature was smartly introduced to help remove the complexity of the task and ensure the lock-down is performed according to Cisco’s best security practices.

The Cisco AutoSecure feature is available to all IOS version 12.3 and above and supported on all hardware platforms, including all newer Cisco 870, 880, 1800, 1900, 2800, 2900, 3800 and 3900 series routers.

To maximize flexibility the Cisco AutoSecure command supports two different modes depending on your needs and flexibility required:

AutoSecure Interactive Mode: This mode prompts the user with options to enable/disable services and other security features supported by the IOS version the router is running.

AutoSecure Non-Interactive Mode: Automatically executes the Cisco AutoSecure command using the recommended Cisco default settings (Cisco’s best security practices).

The Cisco AutoSecure Interactive mode provides greater control over security-related features than the non-interactive mode. However, when an administrator needs to quickly secure a router without much human intervention, the non-interactive mode is appropriate.

We’ll examine the practical difference between the two commands soon. For now, let’s take a look at the functions Cisco AutoSecure performs:

1. Disables the following Global Services:

Finger

PAD

Small Servers

Bootp

HTTP service

Identification Service

CDP

NTP

Source Routing

2. Enables the following Global Services:

Password-encryption service

Tuning of scheduler interval/allocation

TCP synwait-time

TCP-keepalives-in and tcp-kepalives-out

SPD configuration

No ip unreachables for null 0

3. Disables the following services per interface:

ICMP

Proxy-Arp

Directed Broadcast

Disables MOP service

Disables icmp unreachables

Disables icmp mask reply messages.

4. Provides logging for security:

Enables sequence numbers & timestamp

Provides a console log

Sets log buffered size

Provides an interactive dialogue to configure the logging server ip address.

5. Secures access to the router:

Checks for a banner and provides facility to add text to automatically configure:

Login and password

Transport input & output

Exec-timeout

Local AAA

SSH timeout and ssh authentication-retries to minimum number

Enable only SSH and SCP for access and file transfer to/from the router

Disables SNMP If not being used

6. Secures the Forwarding Plane:

Enables Cisco Express Forwarding (CEF) or distributed CEF on the router, when available

Anti-spoofing

Blocks all IANA reserved IP address blocks

Blocks private address blocks if customer desires

Installs a default route to NULL 0, if a default route is not being used

Configures TCP intercept for connection-timeout, if TCP intercept feature is available and the user is interested

Starts interactive configuration for CBAC on interfaces facing the Internet, when using a Cisco IOS Firewall image

Enables NetFlow on software forwarding platforms

It is clear that the Cisco AutoSecure does a lot more than execute a couple of commands.

Configuring Cisco AutoSecure Interactive Mode

This happens to be the recommended mode for securing your Cisco router. When using the Cisco AutoSecure Interactive Mode, the router will prompt a number of questions regarding the current topology, how it is connected to the Internet, which interface connects to the Internet and so on. Providing this information is essential because it will be used by AutoSecure to lock-down the router and disable services as required by Cisco’s best security practices.

Below is the command required to initiate the AutoSecure Interactive mode feature. You can abort the session anytime by pressing Ctrl-C, or press ? to get help:

auto secure



--- AutoSecure Configuration ---



*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***



AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

Autosecure documentation.



At any prompt you may enter '?' for help.

Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure R1#--- AutoSecure Configuration ---*** AutoSecure configuration enhances the security ofthe router, but it will not make it absolutely resistantto all security attacks ***AutoSecure will modify the configuration of your device.All configuration changes will be shown. For a detailedexplanation of how the configuration changes enhance securityand any possible side effects, please refer to Cisco.com forAutosecure documentation.At any prompt you may enter '?' for help.Use ctrl-c to abort this session at any prompt.Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: 1 Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.0.0.100 YES NVRAM up up FastEthernet0/1 192.168.151.10 YES NVRAM up up NVI0 10.0.0.100 YES unset up up Enter the interface name that is facing the internet: FastEthernet0/1 Securing Management plane services... Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol

Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp

Configure NTP Authentication? [yes]: no



Enter the new enable password: *****

% Invalid Password length - must contain 6 to 25 characters. Password configuration failed

Enter the new enable password: **********

Confirm the enable password: **********



Configuring AAA local authentication

Configuring Console, Aux and VTY lines for

local authentication, exec-timeout, and transport

Securing device against Login Attacks

Configure the following parameters

Blocking Period when Login Attack detected: 15

Maximum Login failures with the device: 3

Maximum time period for crossing the failed login attempts: 20

Configure SSH server? [yes]: no



Configuring interface specific AutoSecure services



Disabling the following ip services on all interfaces:

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply



Disabling mop on Ethernet interfaces

Securing Forwarding plane services...

Enabling unicast rpf on all interfaces connected to internet



Configure CBAC Firewall feature? [yes/no]: yes



This is the configuration generated:



no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no ip identd

security passwords min-length 6

security authentication failure rate 10 log

enable password 7 11584B5643475D

aaa new-model

aaa authentication login local_auth local



line con 0

login authentication local_auth

exec-timeout 5 0

transport output telnet



line aux 0

login authentication local_auth

exec-timeout 10 0

transport output telnet



line vty 0 15

login authentication local_auth

transport input telnet



line tty 1

login authentication local_auth

exec-timeout 15 0



login block-for 15 attempts 3 within 20

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered



interface FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled



interface FastEthernet0/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

access-list 101 permit udp any any eq bootpc



interface FastEthernet0/1

ip verify unicast source reachable-via rx allow-default 101

ip inspect audit-trail

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect udp idle-time 1800

ip inspect name autosec_inspect cuseeme timeout 3600

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600



ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc

deny ip any any



interface FastEthernet0/1

ip inspect autosec_inspect out

ip access-group autosec_firewall_acl in

!

end



Apply this configuration to running-config? [yes]: yes



Applying the config generated to running-config

Disabling service fingerDisabling service padDisabling udp & tcp small serversEnabling service password encryptionEnabling service tcp-keepalives-inEnabling service tcp-keepalives-outDisabling the cdp protocolDisabling the bootp serverDisabling the http serverDisabling the finger serviceDisabling source routingDisabling gratuitous arpConfigure NTP Authentication? [yes]:Enter the new enable password:% Invalid Password length - must contain 6 to 25 characters. Password configuration failedEnter the new enable password:Confirm the enable password:Configuring AAA local authenticationConfiguring Console, Aux and VTY lines forlocal authentication, exec-timeout, and transportSecuring device against Login AttacksConfigure the following parametersBlocking Period when Login Attack detected: 15Maximum Login failures with the device: 3Maximum time period for crossing the failed login attempts: 20Configure SSH server? [yes]:Configuring interface specific AutoSecure servicesDisabling the following ip services on all interfaces:no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyDisabling mop on Ethernet interfacesSecuring Forwarding plane services...Enabling unicast rpf on all interfaces connected to internetConfigure CBAC Firewall feature? [yes/no]:This is the configuration generated:no service fingerno service padno service udp-small-serversno service tcp-small-serversservice password-encryptionservice tcp-keepalives-inservice tcp-keepalives-outno cdp runno ip bootp serverno ip http serverno ip fingerno ip source-routeno ip gratuitous-arpsno ip identdsecurity passwords min-length 6security authentication failure rate 10 logenable password 7 11584B5643475Daaa new-modelaaa authentication login local_auth localline con 0login authentication local_authexec-timeout 5 0transport output telnetline aux 0login authentication local_authexec-timeout 10 0transport output telnetline vty 0 15login authentication local_authtransport input telnetline tty 1login authentication local_authexec-timeout 15 0login block-for 15 attempts 3 within 20service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezonelogging facility local2logging trap debuggingservice sequence-numberslogging console criticallogging bufferedinterface FastEthernet0/0no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabledinterface FastEthernet0/1no ip redirectsno ip proxy-arpno ip unreachablesno ip directed-broadcastno ip mask-replyno mop enabledaccess-list 101 permit udp any any eq bootpcinterface FastEthernet0/1ip verify unicast source reachable-via rx allow-default 101ip inspect audit-trailip inspect dns-timeout 7ip inspect tcp idle-time 14400ip inspect udp idle-time 1800ip inspect name autosec_inspect cuseeme timeout 3600ip inspect name autosec_inspect ftp timeout 3600ip inspect name autosec_inspect http timeout 3600ip inspect name autosec_inspect rcmd timeout 3600ip inspect name autosec_inspect realaudio timeout 3600ip inspect name autosec_inspect smtp timeout 3600ip inspect name autosec_inspect tftp timeout 30ip inspect name autosec_inspect udp timeout 15ip inspect name autosec_inspect tcp timeout 3600ip access-list extended autosec_firewall_aclpermit udp any any eq bootpcdeny ip any anyinterface FastEthernet0/1ip inspect autosec_inspect outip access-group autosec_firewall_acl inendApply this configuration to running-config? [yes]:Applying the config generated to running-config

Notice the router rejected the initial enable password as it did not conform to the password security requirements

If at any point you would like to check the configuration changes made by the Cisco AutoSecure feature before saving them, you can use the show auto secure config command:

show auto secure config

no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd security passwords min-length 6 security authentication failure rate 10 log enable password 7 11584B5643475D aaa new-model aaa authentication login local_auth local line con 0 login authentication local_auth exec-timeout 5 0 transport output telnet line aux 0 login authentication local_auth exec-timeout 10 0 transport output telnet line vty 0 15 login authentication local_auth transport input telnet line tty 1 login authentication local_auth exec-timeout 15 0 login block-for 15 attempts 3 within 20 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled ! interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled ! access-list 101 permit udp any any eq bootpc interface FastEthernet0/1 ip verify unicast source reachable-via rx allow-default 101 ip inspect audit-trail ip inspect dns-timeout 7 ip inspect tcp idle-time 14400 ip inspect udp idle-time 1800 ip inspect name autosec_inspect cuseeme timeout 3600 ip inspect name autosec_inspect ftp timeout 3600 ip inspect name autosec_inspect http timeout 3600 ip inspect name autosec_inspect rcmd timeout 3600 ip inspect name autosec_inspect realaudio timeout 3600 ip inspect name autosec_inspect smtp timeout 3600 ip inspect name autosec_inspect tftp timeout 30 ip inspect name autosec_inspect udp timeout 15 ip inspect name autosec_inspect tcp timeout 3600 ip access-list extended autosec_firewall_acl permit udp any any eq bootpc deny ip any any interface FastEthernet0/1 ip inspect autosec_inspect out ip access-group autosec_firewall_acl in R1# R1#







Configuring Cisco AutoSecure Non-Interactive Mode

The Non-interactive mode of Cisco’s AutoSecure is more of an ‘express’ setup feature, bypassing any user input and quickly securing the router using Cisco’s best security practices. Think of it as a quick-and-dirty lockdown mode!

Running the Non-Interactive AutoSecure mode is done by entering the auto secure no-interact command as shown below. The router will display some information and continue configuring itself:

R1# auto secure no-interact

Below is the expected output once the auto secure non-interactive command is executed:

--- AutoSecure Configuration ---



*** AutoSecure configuration enhances the security of

the router, but it will not make it absolutely resistant

to all security attacks ***



AutoSecure will modify the configuration of your device.

All configuration changes will be shown. For a detailed

explanation of how the configuration changes enhance security

and any possible side effects, please refer to Cisco.com for

Autosecure documentation.



Securing Management plane services...



Disabling service finger

Disabling service pad

Disabling udp & tcp small servers

Enabling service password encryption

Enabling service tcp-keepalives-in

Enabling service tcp-keepalives-out

Disabling the cdp protocol



Disabling the bootp server

Disabling the http server

Disabling the finger service

Disabling source routing

Disabling gratuitous arp



Configuring interface specific AutoSecure services

Disabling the following ip services on all interfaces:



no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

Disabling mop on Ethernet interfaces



Securing Forwarding plane services...





This is the configuration generated:



no service finger

no service pad

no service udp-small-servers

no service tcp-small-servers

service password-encryption

service tcp-keepalives-in

service tcp-keepalives-out

no cdp run

no ip bootp server

no ip http server

no ip finger

no ip source-route

no ip gratuitous-arps

no ip identd

security passwords min-length 6

security authentication failure rate 10 log

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

logging facility local2

logging trap debugging

service sequence-numbers

logging console critical

logging buffered

interface FastEthernet0/0

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

interface FastEthernet0/1

no ip redirects

no ip proxy-arp

no ip unreachables

no ip directed-broadcast

no ip mask-reply

no mop enabled

!

end



Applying the config generated to running-config



R1#







Exploring Other Cisco AutoSecure Options

For those who like to explore all available options of the Cisco AutoSecure command, use the auto secure command, followed by a question mark ? as shown below:

R1# auto secure ?

firewall AutoSecure Firewall

forwarding Secure Forwarding Plane

full Interactive full session of AutoSecure

login AutoSecure Login

management Secure Management Plane

no-interact Non-interactive session of AutoSecure

ntp AutoSecure NTP

ssh AutoSecure SSH

tcp-intercept AutoSecure TCP Intercept





Trying out different parameters and options will help gain a greater understanding of how AutoSecure works and the options it provides to help best secure your network.



Using the Cisco AutoSecure feature to secure your router(s) is a very simple task and one that should not be neglected, even by experienced network engineers. With the use of such features, one can create a configuration template with all necessary basic security measures taken into account.

Cisco provides a number of features that can help make an engineer’s every-day life more secure and hassle-free. It’s to our advantage to make the best of everything offered!

Back to Cisco Routers Section