Cisco IOS Routers: Auto Secure

Auto Secure is good for small business or IT administrators that may know how to configure a router with networking protocols, setting up IP interfaces, and networks but really don’t have an understanding of the security aspect of the router. So what Cisco has done is implemented a script called Auto Secure.

Auto Secure is based on the questions you answer from the prompt usually “yes” or “no” answers. Sometimes the script wants a little more information depending on your network configuration. So there is some customization to fit your network needs but it is almost like a one-step lockdown.

So the first thing you will need is to get into the router in by entering user mode. Once their type the command enable and hit enter.

Router>enable

Now that you are in privilege EXEC mode type the two-word command auto secure and hit enter.

Router#auto secure

--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of
the router, but it will not make it absolutely resistant
to all security attacks ***

AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed
explanation of how the configuration changes enhance security
and any possible side effects, please refer to Cisco.com for
Autosecure documentation.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.

Gathering information about the router for AutoSecure

Once you hit enter it will start the script and will look like something in the above code box. Here you can see that although Auto Secure is helpful in locking down your network it will not make it resistant to all network attacks. If you also notice that the Auto Secure script will modify the configuration of my device and could cause network issues. Reading further down and a feature that I like the best is that Auto Secure will show all configuration changes before it changes anything! So you could then research what each command does at Cisco.com or you could apply the configuration on the running-config, and see if there are any network problems. If there are you can simply reload the router and not save the configuration. What this does is wipe the entire Auto Secure configuration away and once the router reboots you are now left with the unsecured router. You can always hit ctrl-c to abort Auto Secure and hit the question mark key for additional information.

So the first thing the prompt asked me was this router connected to the internet? For the is example I will say yes and hit enter

Is this router connected to internet? [no]: yes

The next thing it asked me was how many interfaces are facing the internet? For this example I accept the default value which was 1

Enter the number of interfaces facing the internet [1]: 1

The next thing the Auto Secure prompt wanted was me to type the interface that was connected or facing the internet? For this example I typed the serial0/0/0 interface.

Interface              IP-Address      OK? Method Status                Protocol

FastEthernet0/0 unassigned YES unset administratively down down

FastEthernet0/1 unassigned YES unset administratively down down

Serial0/0/0 172.16.2.241 YES manual down down

Serial0/0/1 unassigned YES unset administratively down down

Vlan1 unassigned YES unset administratively down down

Enter the interface name that is facing the internet: serial0/0/0

It will then go and disable and enable some services like outputted below but only after you apply them at the end of the Auto Secure prompt.

Securing Management plane services...

Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
**Output Omitted**

The next step Auto Secure wants me to do is type a security banner, which will show every time somebody ties to access device. This all depends on your network, for this example I just typed Authorized Access Only. (You will need a delimiter)

Enter the security banner {Put the banner between
k and k, where k is any character}:*Authorized Access Only*

The next Auto Secure will want is a secret password. This password must be at least six characters long, this password is also encrypted in MD5. It will also want an enable password which is not encrypted. (For older routers that may not support encryption) It also must be different from the secret password.

Enable secret is either not configured or
 is the same as enable password
Enter the new enable secret:
Enter the new enable password:

Auto Secure will want a local user database, so enter the username and password of the user.

Configuration of local user database
Enter the username: Username
Enter the password: password
Confirm the passord: password

Next Auto Secure will tell you that AAA will be enabled with local authentication, it will then want a blocking period when login attacks are detected, maximum login failures, and maximum time period for crossing the failed login attempts.

Blocking Period when Login Attack detected: #

Maximum Login failures with the device: #

Maximum time period for crossing the failed login attempts: #

Depending on your network you may want SSH on for this example I said yes. When setting up the SSH it wants a hostname, and a domain-name.

Configure SSH server? [yes]: yes

Enter the host name: {Router Name}
Enter the domain-name: {Yourdomain-name}

Depending on your network needs you may want a CBAC firewall. For this example we said yes. Now you will see the secure configuration generated you then could copy down the configuration and not apply it to the running-config and research what each command does. You could apply it to the running-config and then wait and see if any problems arise. If they do you can reload the router without saving the configuration you would then be back with an unsecured but configured router.

Configure CBAC Firewall feature? [yes/no]: yes

This is the configuration generated:
!
Disabling service finger
Disabling service pad
Disabling udp & tcp small servers
Enabling service password encryption
Enabling service tcp-keepalives-in
**Output Omitted**

Apply this configuration to running-config? [yes]:

You can find more information about the Auto Secure feature at Cisco.com and I hope this tutorial was helpful.

Advertisements