`
`
`
`
`
`Report Number: C4-040R-02
`
`Router Security
`Configuration Guide
`
`Principles and guidance for secure configuration of IP routers,
`with detailed instructions for Cisco Systems routers
`
`Router Security Guidance Activity
`of the
`System and Network Attack Center (SNAC)
`
`
`
`
`September 27, 2002
`
`Version: 1.1
`
`Authors:
`Vanessa Antoine
`Raymond Bongiorni
`Anthony Borza
`Patricia Bosmajian
`Daniel Duesterhaus
`Michael Dransfield
`Brian Eppinger
`Kevin Gallicchio
`James Houser
`Andrew Kim
`Phyllis Lee
`Tom Miller
`David Opitz
`Florence Richburg
`Michael Wiacek
`Mark Wilson
`Neal Ziring
`
`
`
`
`National Security Agency
`9800 Savage Rd. Suite 6704
`Ft. Meade, MD 20755-6704
`
`SNAC.Guides@nsa.gov
`
`
`
`
`
`
`
`Microsoft Ex. 1022, p. 1
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Router Security Configuration Guide
`
`
`
`Warnings
`This document is only a guide to recommended security settings for Internet Protocol
`(IP) routers, particularly routers running Cisco Systems Internet Operating System
`(IOS) versions 11 and 12. It is not meant to replace well-designed policy or sound
`judgment. This guide does not address site-specific configuration issues. Care must
`be taken when implementing the security steps specified in this guide. Ensure that
`all security steps and procedures chosen from this guide are thoroughly tested and
`reviewed prior to imposing them on an operational network.
`SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
`WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
`WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
`PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT
`SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
`INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
`(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
`GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
`INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
`LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
`(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
`OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
`OF SUCH DAMAGE.
`This document is current as of August, 2002. The most recent version of this
`document may always be obtained through http://www.nsa.gov/.
`
`Acknowledgements
`The authors would like to acknowledge Daniel Duesterhaus, author of the original
`NSA “Cisco Router Security Configuration Guide,” and the management and staff of
`the Applications and Architectures division for their patience and assistance with the
`development of this guide. Special thanks also go to Ray Bongiorni for quality
`assurance and editorial work, and to Julie Martz for proof-reading and production
`assistance. Additional contributors to the guide effort include Andrew Dorsett,
`Charles Hall, Scott McKay, and Jeffrey Thomas. Thanks must also be given to the
`dozens of professionals outside NSA who made suggestions for the improvement of
`this document, especially George Jones, John Stewart, and Joshua Wright.
`Trademark Information
`Cisco, IOS, and CiscoSecure are registered trademarks of Cisco Systems, Inc. in the
`USA and other countries. Windows 2000 is a registered trademark of Microsoft
`Corporation in the USA and other countries. All other names are trademarks or
`registered trademarks of their respective companies.
`Revision History
`1.0
`1.0b
`1.0e
`1.0f
`1.0g
`1.0h
`1.0j
`1.0k
`1.1
`
`First complete draft, extensive internal review.
`Revised after review by Ray Bongiorni
`First release version.
`Second release version: second pre-pub review
`Third release version: incorporated external feedback.
`Fourth release version; another QA review.
`Fifth release version.
`
`Last release of 1.0, another pre-pub review.
`Major revision and expansion, another pre-pub review
`
`Sep 2000
`Oct 2000
`Jan 2001
`Mar 2001
`Apr 2001
`Aug 2001
`Nov 2001
`Mar 2002
`Sep 2002
`
`2
`
`
`
`Version 1.1
`
`Microsoft Ex. 1022, p. 2
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`
`
`UNCLASSIFIED
`
`Contents
`
`Contents
`
`Preface
`
`5
`
`7
`1. Introduction
`1.1. The Roles of Routers in Modern Networks .....................................................................7
`1.2. Motivations for Providing Router Security Guidance......................................................9
`1.3. Typographic and Diagrammatic Conventions Used in this Guide.................................10
`1.4. Structural Overview .......................................................................................................12
`
`15
`2. Background and Review
`2.1. Review of TCP/IP Networking ......................................................................................15
`2.2. TCP/IP and the OSI Model ............................................................................................17
`2.3. Review of IP Routing and IP Architectures ...................................................................19
`2.4. Basic Router Functional Architecture............................................................................24
`2.5. Review of Router-Relevant Protocols and Layers .........................................................27
`2.6. Quick “Review” of Attacks on Routers .........................................................................29
`2.7. References......................................................................................................................30
`
`33
`3. Router Security Principles and Goals
`3.1. Protecting the Router Itself ............................................................................................33
`3.2. Protecting the Network with the Router.........................................................................34
`3.3. Managing the Router......................................................................................................42
`3.4. Security Policy for Routers ............................................................................................45
`3.5. References......................................................................................................................50
`
`53
`4. Implementing Security on Cisco Routers
`4.1. Router Access Security ..................................................................................................54
`4.2. Router Network Service Security...................................................................................69
`4.3. Access Control Lists, Filtering, and Rate Limiting........................................................81
`4.4. Routing and Routing Protocols ......................................................................................98
`4.5. Audit and Management................................................................................................126
`4.6. Security for Router Network Access Services .............................................................162
`4.7. Collected References....................................................................................................189
`
`191
`5. Advanced Security Services
`5.1. Role of the Router in Inter-Network Security..............................................................191
`5.2.
`IP Network Security.....................................................................................................192
`5.3. Using SSH for Remote Administration Security .........................................................214
`5.4. Using a Cisco Router as a Firewall ..............................................................................219
`5.5. Cisco IOS Intrusion Detection .....................................................................................228
`5.6. References....................................................................................................................234
`
`Version 1.1
`
`
`
`3
`
`Microsoft Ex. 1022, p. 3
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Router Security Configuration Guide
`
`
`
`237
`6. Testing and Security Validation
`6.1. Principles for Router Security Testing .........................................................................237
`6.2. Testing Tools................................................................................................................237
`6.3. Testing and Security Analysis Techniques ..................................................................238
`6.4. Using the Router Audit Tool........................................................................................245
`6.5. References....................................................................................................................247
`
`249
`7. Additional Issues in Router Security
`7.1. Routing and Switching.................................................................................................249
`7.2. ATM and IP Routing....................................................................................................251
`7.3. Multi-Protocol Label Switching (MPLS).....................................................................252
`7.4.
`IPSec and Dynamic Virtual Private Networks .............................................................253
`7.5. Tunneling Protocols and Virtual Network Applications ..............................................254
`7.6.
`IP Quality of Service (QoS) and RSVP........................................................................255
`7.7. Secure DNS..................................................................................................................256
`7.8. References....................................................................................................................257
`
`259
`8. Appendices
`8.1. Top Ways to Quickly Improve the Security of a Cisco Router....................................259
`8.2. Application to Ethernet Switches and Related Non-Router Network Hardware..........265
`8.3. Overview of Cisco IOS Versions and Releases ...........................................................268
`8.4. Glossary of Router Security-related Terms..................................................................274
`
`281
`9. Additional Resources
`9.1. Bibliography.................................................................................................................281
`9.2. Web Site References ....................................................................................................284
`9.3. Tool References ...........................................................................................................286
`
`Index
`
`
`
`
`
`289
`
`4
`
`
`
`Version 1.1
`
`Microsoft Ex. 1022, p. 4
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`
`
`UNCLASSIFIED
`
`Preface
`
`Preface
`
`Routers direct and control much of the data flowing across computer networks. This
`guide provides technical guidance intended to help network administrators and
`security officers improve the security of their networks. Using the information
`presented here, you can configure your routers to control access, resist attacks, shield
`other network components, and even protect the integrity and confidentiality of
`network traffic.
`
`This guide was developed in response to numerous questions and requests for
`assistance received by the NSA System and Network Attack Center (SNAC). The
`topics covered in the guide were selected on the basis of customer interest,
`community concensus, and the SNAC’s background in securing networks.
`
`The goal for this guide is a simple one: improve the security provided by routers on
`US Government operational networks.
`
`Who Should Use This Guide
`
`Network administrators and network security officers are the primary audience for
`this configuration guide, throughout the text the familiar pronoun “you” is used for
`guidance directed specifically to them. Most network administrators are responsible
`for managing the connections within their networks, and between their network and
`various other networks. Network security officers are usually responsible for
`selecting and deploying the assurance measures applied to their networks. For this
`audience, this guide provides security goals and guidance, along with specific
`examples of configuring Cisco routers to meet those goals.
`
`Firewall administrators are another intended audience for this guide. Often, firewalls
`are employed in conjunction with filtering routers; the overall perimeter security of
`an enclave benefits when the configurations of the firewall and router are
`complementary. While this guide does not discuss general firewall topics in any
`depth, it does provide information that firewall administrators need to configure their
`routers to actively support their perimeter security policies. Section 5 includes
`information on using the firewall features of the Cisco Integrated Security facility.
`
`Information System Security Engineers (ISSEs) may also find this guide useful.
`Using it, an ISSE can gain greater familiarity with security services that routers can
`provide, and use that knowledge to incorporate routers more effectively into the
`secure network configurations that they design.
`
`Sections 4, 5, and 6 of this guide are designed for use with routers made by Cisco
`Systems, and running Cisco’s IOS software. The descriptions and examples in those
`sections were written with the assumption that the reader is familiar with basic Cisco
`router operations and command syntax.
`
`Version 1.1
`
`
`
`5
`
`Microsoft Ex. 1022, p. 5
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Router Security Configuration Guide
`
`
`
`Feedback
`
`This guide was created by a team of individuals in the System and Network Attack
`Center (SNAC), which is part of the NSA Information Assurance Directorate. The
`editor was Neal Ziring. Comments and feedback about this guide may be directed to
`the SNAC (Attn: Neal Ziring), Suite 6704, National Security Agency, Ft. Meade,
`MD, 20755-6704, or via e-mail to SNAC.Guides@nsa.gov.
`
`6
`
`
`
`Version 1.1
`
`Microsoft Ex. 1022, p. 6
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`
`
`
`
`Advanced Security Services
`
`4.3. Access Control Lists, Filtering, and Rate Limiting
`Cisco IOS uses access lists to separate data traffic into that which it will process
`(permitted packets) and that which it will not process (denied packets). Secure
`configuration of Cisco routers makes very heavy use of access lists, for restricting
`access to services on the router itself, and for filtering traffic passing through the
`router, and for other packet identification tasks. This section gives a moderately
`detailed description of access list syntax, with some extensive examples.
`
`4.3.1. Concepts
`Access lists on Cisco routers provide packet selection and filtering capabilities. An
`access list consists of one or more rules. For IP traffic, there are two types of access
`lists available: standard and extended. Standard access lists only allow source IP
`address filtering. Extended access lists can permit or deny packets based on their
`protocols, source or destination IP addresses, source or destination TCP/UDP ports,
`or ICMP or IGMP message types. Extended access lists also support selective
`logging. Both standard and extended IP access lists can be applied to router
`interfaces, vty lines (for remote access), IPSec, routing protocols, and many router
`features. Only standard IP access lists can be applied to SNMP.
`
`Syntax
`
`The basic structure for an access list rule is shown below.
`
`
`
`access-list list-number {deny | permit} condition
`
`The access list number tells Cisco IOS which access list the rule should be a part of,
`and what kind of access list it is. The condition field, which is different for each kind
`of access list, specifies which packets match the rule. Conditions typically involve
`protocol information and addresses, but do not involve application-level information.
`
`The following is the syntax for a statement (rule) in a standard IP access list:
`
`
`
`
`access-list list-number {deny | permit} source [source-wildcard] [log]
`list-number is the number of the access list and can be any decimal
`where
`number from 1 to 99.
` denies access if the condition is matched.
` permits access if the condition is matched.
`source is the IP address of the network or host from which the packet
`is being sent.
`source-wildcard is the wildcard bits to be applied to the source.
`
` deny
` permit
`
`Version 1.1
`
`
`
`81
`
`Microsoft Ex. 1022, p. 7
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Router Security Configuration Guide
`
`
`
`14.1.0.0/16
`
`Eth0
`14.1.1.20
`
`East
`
`Eth1
`14.2.6.250
`
`14.2.6.0/24
`
`Interface Eth0
`
`Interface Eth1
`
`
`
`14.2.6.0 network
`
`Inbound
`Access
`List
`
`deny
`
`Outbound
`Access
`List
`
`permit
`
`permit
`
`permit
`
`Trash
`
`Trash
`
`Routing Fabric
`
`Inbound
`Access
`List
`
`deny
`
`permit
`
`Outbound
`Access
`List
`
`14.1.0.0 network
`
`Figure 4-2: Conceptual Model for Access Lists on Interfaces
`
`Use the log keyword at the end of each deny statement in each extended access list,
`as shown in the example below. This feature will provide valuable information
`about what types of packets are being denied. Logs of denied packets can be useful
`for detection and analysis of probes and attacks against a network. Log messages
`generated by access lists are at log level 6 ‘Informational’. Access list log messages
`always include the access list number, which is usually sufficient to identify the
`provenance of the traffic. If you might apply the same access list to more than one
`interface, then use the qualifier log-input instead of log.
`
`East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any
`East(config)# access-list 102 deny ip any any log-input
`Add the following statements at the end of each extended IP access list to deny and to
`log any packets that are not permitted. These statements include the entire port
`ranges for TCP and UDP explicitly. This will guarantee that the router will log the
`values for the source and destination ports for TCP and UDP traffic.
`
`East(config)# access-list 100 deny tcp any range 0 65535
`
`
`
`
`
`
`
`
`
`
`
`any range 0 65535 log
`East(config)# access-list 100 deny udp any range 0 65535
`
`
`
`
`
`
`
`
`
`
`
`any range 0 65535 log
`East(config)# access-list 100 deny ip any any log
`
`Finally, due to limited editing capability on the Cisco router, you cannot easily
`modify access lists. Thus, whenever you need to change an access list, it is best to
`
`84
`
`
`
`Version 1.1
`
`Microsoft Ex. 1022, p. 8
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`Router Security Configuration Guide
`
`
`
`Routing Service
`
`Communications between routers for routing table updates involve routing protocols.
`These updates provide directions to a router on which way traffic should be routed.
`You can use access lists to restrict what routes the router will accept (in) or advertise
`(out) via some routing protocols. The distribute-list acl-num out command
`is used to restrict routes that get distributed in routing updates, while the
`distribute-list acl-num in command may be used used to filter routes that
`will be accepted from incoming routing updates.
`
`The following example shows the configuration of a standard IP access list applied
`with the EIGRP routing protocol. With the access list applied, router South will not
`advertise routes to the 14.2.10.0 network.
`South(config)# access-list 10 deny 14.2.10.0 0.0.0.255
`South(config)# access-list 10 permit any
`South(config)# router eigrp 100
`South(config-router)# distribute-list 10 out
`South(config-router)# end
`South#
`Access lists can be used for general filtering of routing updates with distance-vector
`routing protocols like RIP, EIGRP, and BGP. With link-state routing protocols like
`OSPF, access lists can be used only for some specialized kinds of filtering. For more
`information about this topic, see Section 4.4.
`
`4.3.3. Filtering Traffic through the Router
`The following examples illustrate methods to protect the router or the internal
`network from attacks. Note: these separate examples should not be combined into
`one access list because the result would contain contradictions. In the next section an
`example configuration file is presented that shows one way to combine these
`methods into access lists. Refer to the network diagram in Figure 4-1 to understand
`the example interfaces, their IP addresses and the corresponding access lists.
`
`IP Address Spoof Protection
`
`The filtering suggestions in this sub-section are applicable to border routers, and most
`interior routers. With backbone routers, it is not always feasible to define ‘inbound’
`and ‘outbound’.
`
`Inbound Traffic
`
`
`
`Do not allow any inbound IP packet that contains an IP address from the internal
`network (e.g., 14.2.6.0), any local host address (127.0.0.0/8), the link-local DHCP
`default network (169.254.0.0/16), the documentation/test network (192.0.2.0/24), or
`any reserved private addresses (refer to RFC 1918) in the source field. Also, if your
`network does not need multicast traffic, then block the IP multicast address range
`(224.0.0.0/4). Apply this access list to the external interface of the router, as shown
`in the transcript below.
`
`86
`
`
`
`Version 1.1
`
`Microsoft Ex. 1022, p. 9
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`
`
`
`
`
`
`Advanced Security Services
`
`line vty 0 4
`
`access-class 150 in
`
`password 7 123456789012345678901234
`
`login
`
`transport input telnet
`
`
`4.3.5. Turbo Access Control Lists
`Some Cisco router models support compiled access control lists, called “Turbo
`ACLs”, in IOS 12.1(6), and later. Using compiled access control lists can greatly
`reduce the performance impact of long lists. To enable turbo access lists on a router,
`use the configuration mode command access-list compiled. (If your IOS does
`not support compiled access lists, the command will generate a harmless error
`message.) Once this facility is enabled, IOS will automatically compile all suitable
`access lists into fast lookup tables, while preserving their matching semantics. Once
`you have enabled turbo access lists, you can view statistics about them using the
`command show access-list compiled. If you apply access lists with more than
`5 rules to high-speed interfaces, then you may employ this feature to improve
`performance.
`
`4.3.6. Using Committed Access Rate
`Committed Access Rate (CAR) is a router service that gives administrators some
`control over the general cross-section of traffic entering and leaving a router. By
`allocating a specific amount of bandwidth to defined traffic aggregates, data passing
`through the router can be manipulated to preserve fragile traffic, eliminate excessive
`traffic, and limit spoofed traffic; however, the most important task that CAR can
`perform is to mitigate the paralyzing effects of DoS attacks and flash crowds.
`
`You can use CAR to reserve a portion of a link’s bandwidth for vital traffic, or to
`limit the amount of bandwidth consumed by a particular kind of attack. In the latter
`case, it may not be necessary to keep CAR rules in place at all times, but to be ready
`to apply them quickly when you detect an attack in progress. This short section gives
`an overview of CAR, and a few simple examples.
`
`CAR Command Syntax
`
`Configuring CAR requires you to apply rate limiting rules to each interface where
`you enforce constraints on traffic or bandwidth usage. Each interface can have a
`separate, ordered set of rules for the in-bound (receiving) and out-bound (sending)
`directions. The general syntax for a CAR rule is shown below, somewhat simplified.
`
`rate-limit {input | output} [access-group [rate-limit] acl]
`token-bit-rate burst-normal-size burst-excess-size
`conform-action action exceed-action action
`
`
`
`Version 1.1
`
`
`
`93
`
`Microsoft Ex. 1022, p. 10
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`