Service provider takeaway: In this Channel Checklist, value-added resellers and systems integrators will learn the important objectives to keep in mind when configuring Cisco routers for security.
Value-added resellers (VARs) and systems integrators need to consider several factors during the configuration of their customers' network devices, including routers. Security should be among those considerations, in addition to the customer's business needs and the device's features. When configuring your customer's Cisco routers for security, keep these five primary objectives in mind.
|Cisco router configuration security checklist|
|Establish secure access|
|You need secure access to the box. This can be a challenge if you're administering the box long-term, in which case an authentication system like ACS with TACACS+ or RADIUS needs to be set up. (For help configuring these features on Cisco routers, search for "AAA".) In some cases, your customer may want you to configure the boxes but turn over management responsibilities. If this is the case, advise customers about secure access best practices and make sure they have such an authentication system, or propose adding one to the scope of your project.|
|Implement configuration control|
|Configuration control for routers is just as important as secure access; it allows both resellers and customers to know what was changed and who changed it. Regardless of who controls the customer's network device configurations -- you or the customer -- a configuration management system lets changes be tracked so that problems can be identified and downtime can be reduced if a network device crashes and needs to be restored.|
|Limit exposure to code exploits|
|Limiting exposure to all the various flavors of exploits -- such as the ever-popular buffer overflow -- means turning off all services that aren't required and will help secure the network device. Discuss requirements, including functions the router should perform, while consulting with the customer. If a function isn't on the list, turn off that feature on the routers. Not only does this keep customers from continually scope-creeping your project by asking you to configure a never-ending list of features, but it gives you a business basis for security policies.|
|Secure routing protocols|
|Protecting the functionality and availability of routers means securing the routing protocols the router uses to communicate with other routers and to make forwarding decisions.|
|Probably the easiest attack vector for IP networks is to inject bad routes into the network or to disrupt neighbor relationships to cause the routers to reconverge. You can prevent this by configuring the security features of the routing protocols. One such security feature allows routers to authenticate each other so that rogue routers can't participate by advertising routes or by fabricating spoofed packets that attempt to reset the connection.|
|This type of security feature is fairly straightforward. However, routing protocols usually need to be configured consistently across the entire network. Often, the scope of your project may only address a small portion of a customer's network. In such a case, you can either pitch additional business to apply the configurations throughout the network or clearly document that you and your customer discussed the exposure of leaving the routing protocols unsecured and decided to accept the risk.|
|Implement a patch management strategy|
|Most network device manufacturers release updates with security fixes on a fairly regular basis. If you're managing your customer's routers, you hopefully have patch management under control. However, if a customer chooses to do this themselves (which probably means it's not being done at all) then it could be a business opportunity. Consider sending customers a courtesy email to let them know when updates are available and whether or not the included fixes apply to their network. It will show customers you have something to offer and may result in follow-on work.|
About the author
Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years of experience in the networking industry. He is co-author of several books on networking, most recently, CCSP: Secure PIX and Secure VPN Study Guide, published by Sybex.