IINS 210-260

IINS 210-260

Device Hardening with Cisco Configuration Professional

You can do device hardening and test your router configuration by using the Security Audit Wizard. It'll help you locate potential security problems in your configuration. When it's done, the wizard will show you a screen that allows you to determine which security problems you want to fix. Once you determine that, the wizard will make the necessary changes in the router configuration and solve the problems with one-step lockdown. To do a security audit, from the feature bar, go to Configure > Security > Security Audit. Then click Perform Security Audit, the welcome page of the wizard will open.

CCP Security Audit

Continuing with the audit, click Next. The Security audit interface configuration page will open. Then input the data that will identify the router interfaces that connect to your inside network and the router interfaces of your outside network. For each listed interface, check either Inside or Outside to indicate where it's connecting to. Then click Next, the wizard tests your configuration to look for security vulnerabilities. The vulnerabilities are determined by Cisco best practices. A screen showing the progress will open, it'll list all the configuration options being tested and whether the current router configuration passes those tests. If you want to save this report to a file, click Save Report. When you're done, click Close. The Security Audit report card screen opens showing a list of possible security issues.

CCP Security Audit Report

Continuing on, check the Fix it checkbox next to any problems that you want the CCP to fix. To describe the problem and list the IOS commands that'd be added to configuration, click the problem description to display a help page, then click Next. The wizard may display one or more screens requiring input for certain problems. Enter the information as necessary. Then, click Next for each of those screens.

CCP Security Fixes

Finally, the Summary page of the wizard shows a list of all the configuration changes the security audit will make. Click Finish to implement those changes to your router. The CCP can't undo the security fix. If you wanted to remove the security configuration, run the Security Audit Wizard again. In the Report Card window, choose the option Undo security configurations and check the checkbox of any configuration that you want to undo. When you're done, click Next.

One-step lockdown

The One-step lockdown option tests your router configuration for potential security problems, and it'll automatically make the changes necessary to correct the problems that it discovers. This configuration is going to be compared against Cisco best practices similar to the Security Audit Wizard. However, this time, the changes are made automatically and without prompting you to choose the components to fix. To do this, navigate to Configure > Security > Security Audit > One-Step Lockdown.

The One-step lockdown feature simplifies the hardening of your router by using the AutoSecure feature with a one-click option. To confirm the process, assuming the confirmation window, click to deliver the new settings. You can see here how the confirmation popup also shows how to roll back the new settings with the Security Audit feature as previously mentioned. You can also see here how the wizard lists the settings that are modified before offering the option to deliver them.

CCP One-step lockdown

Here we can see an example of the delta commands that are going to be delivered to our router after running the One-step lockdown feature:

aaa new-model
aaa authorization exec local_author local
aaa authentication login local_authen local
line vty 5 15
 login authentication local_authen
 authorization exec local_author
 exit
line vty 0 4
 login authentication local_authen
 authorization exec local_author
 exit
line con 0
 login authentication local_authen
 exit
line aux 0
 login authentication local_authen
 exit
no service pad
service password-encryption
service tcp-keepalives-in
service tcp-keepalives-out
no ip bootp server
no ip source-route
service sequence-numbers
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
scheduler allocate 4000 1000
ip tcp synwait-time 10
no cdp run
security authentication failure rate 3 log
security passwords min-length 6
ip ssh time-out 60
ip ssh authentication-retries 2
banner login ~Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
~
logging console critical
logging trap debugging
logging buffered 51200 debugging
interface FastEthernet0/1
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 no mop enabled
 exit
interface Null0
 exit
default interface Null0
interface Null0
 no ip unreachables
 exit
interface FastEthernet0/0
 no ip proxy-arp
 no ip redirects
 no ip unreachables
 ip route-cache flow
 no mop enabled
 exit

Caveats and guidelines

Keep in mind that the CCP Wizard will not implement certain Cisco AutoSecure features. For example, it will not disable NTP, it won't configure AAA – authentication, authorization, and accounting, it will not set SPD values – Selective Packet Discard. It will not enable TCP intercepts, and it won't configure antispoofing ACLs on the outside interfaces. Also, CCP will implement certain AutoSecure features differently as well. It'll disable SNMP but it won't configure SNMPv3 on some routers. It also enables and configures Secure Shell on cryptographic IOS images, but it won't enable SCP or disable other access and file transfer services, such as FTP.