AutoSecure is a relatively new security feature, introduced in IOS 12.3(1). It allows administrators to harden Cisco routers automatically by disabling non-essential IP services vulnerable to common network attacks and enabling security features to mitigate network attacks. Cisco IOS release 12.3(8)T introduced Roll-Back and System Logging Message support for AutoSecure. Roll-back enables a router to revert to its original configuration if the AutoSecure configuration fails. System Logging Messages provides a more detailed audit trail by logging changes or tampering of the AutoSecure configuration.
AutoSecure is a command-line interface dialogue and works similar as using setup to configure a router. Use the auto secure command in privileged exec mode to start AutoSecure. At the end of the dialogue, it will prompt you to save the configuration to the running configuration. This mean you have to save it to the startup configuration yourself.
AutoSecure focuses on securing the management plane and the forwarding plane. Securing the management plane involves turning off vulnerable global and interface services and turning on global services that help mitigate attacks. Additionally, the router is configured for secure access and secure logging. Following is an overview of the configuration changes involved in securing the management plane:
Disable Global Services – Bootp server, CDP, Finger, HTTP server, Identification Service, NTP, PAD, Source Routing, and Small Servers services are disabled.
Disable Per Interface Services – ICMP redirects, ICMP unreachables, ICMP mask reply messages, Proxy-Arp, Maintenance Operations Protocol (MOP), and IP Directed Broadcasts are disabled for all interfaces.
Enable Global Services – Enables the service password-encryption to ensure passwords cannot be read from the configuration, and enables TCP synwait-time, service tcp-keepalives-in and service tcp-keepalives-out to ensure abnormally ended TCP session are removed.
Enable Secure Access – Prompts the user to create a deterrent banner text if a banner is not configured. Prompt the user for a login and password and configures it for the console, TTY, VTY, and AUX lines. Enables SSH and secure copy (SCP) if the IOS image supports it. By default, prompts the user to disable SNMP. Configures local AAA and prompt the user to configure a local username and password on the router.
Enable Security Logging – Enables sequence numbers and timestamps for all debug and log messages, allows Cisco Login Enhancement to log login events. Enables and configures logging severity levels for TTY console, local buffers, and syslog servers.
Securing the forwarding plane involves the following depending on their availability on the router:
Cisco Express Forwarding (CEF) is enabled if available. CEF is a faster forwarding method that helps mitigate SYN DoS attacks.
The TCP intercept feature can be configured on the router for connection timeout.
The Unicast Reverse Path Forwarding (uRPF) can be configured on the router to help mitigate spoofing attacks. uRPF blocks all IP packets that do not have a verifiable IP source address.
Context-based access control (CBAC) can be configured for on public interfaces if the router has the firewall set installed.
Configures access lists on public interfaces to discard all IANA reserved IP address blocks, private address blocks, multicast, and class E addresses as source addresses in order to prevent spoofing.
Installs a default route to NULL 0, if a default route does not exist.
The Cisco AutoSecure White Paper provides more detailed information regarding the configuration changes and security implications of AutoSecure.
The complete syntax for the auto secure command is:
Router# auto secure [management | forwarding] [no-interact]
Specifying the optional management or forwarding option instructs AutoSecure to perform only the task related to the management or the forwarding plane. The no-interact option instructs to run in non-interactive mode, in which a user is not prompted to influence the configuration, but a Cisco default configuration is applied instead.
AutoSecure configures a minimum password length of six characters. This affects user passwords, enable passwords and secrets, and line passwords. The minimum length can be increased by using the following command in global config mode:
Router(config)# security passwords min-length length
Passwords that do not meet the new requirements will fail, so it is good practice to configure appropriate passwords before setting the minimum password length.
AutoSecure also sets the number of allowable unsuccessful login attempts to 10. When this threshold is exceeded, a syslog entry will be generated. You can chance this value by using the following command:
Router(config)# security authentication failure rate threshold-rate log
You can verify the AutoSecure configuration by using the following command in privileged exec mode:
Router# show auto secure config