Cart
For those readers that have been impressed with the AutoQoS capability on a Cisco router or switch, chances are you will be pretty impressed with the AutoSecure feature as well.
This Command Line Interface (CLI) feature actually makes a Graphical User Interface (GUI) feature possible in the Cisco Security and Device Manager (SDM). That feature is the Cisco SDM Security Audit. This GUI-based applet has almost all of the functionality of the Cisco AutoSecure feature. The Security Audit tool can run in two modes – the Security Audit Wizard or the One-Step Lockdown mode. With the Wizard, vulnerabilities are checked for, and if discovered, the GUI provides the option of correcting them with a single click. The One-Step Lockdown configures the router with a predefined set of configurations without further user interaction.
The Autosecure feature is accomplished at the Command Line as we indicated. It can run in Interactive Mode and Non-Interactive Mode thanks to the command:
auto secure [no-interact]
Here is a look at the output of the feature when run in the Non-Interactive mode:
R1# auto secure no-interact *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device.
All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. Securing Management plane services... Disabling service finger Disabling service pad Disabling udp & tcp small servers Enabling service password encryption Enabling service tcp-keepalives-in Enabling service tcp-keepalives-out Disabling the cdp protocol Disabling the bootp server Disabling the http server Disabling the finger service Disabling source routing Disabling gratuitous arp Configuring interface specific AutoSecure services Disabling the following ip services on all interfaces: no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply Disabling mop on Ethernet interfaces Securing Forwarding plane services... Enabling CEF (This might impact the memory requirements for your platform) This is the configuration generated: no service finger no service pad no service udp-small-servers no service tcp-small-servers service password-encryption service tcp-keepalives-in service tcp-keepalives-out no cdp run no ip bootp server no ip http server no ip finger no ip source-route no ip gratuitous-arps no ip identd security passwords min-length 6 security authentication failure rate 10 log service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone logging facility local2 logging trap debugging service sequence-numbers logging console critical logging buffered interface FastEthernet0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/0 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply interface FastEthernet0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply no mop enabled interface Serial0/1 no ip redirects no ip proxy-arp no ip unreachables no ip directed-broadcast no ip mask-reply ip cef ! end Applying the config generated to running-config R1#
The AutoSecure command can also be used just to automate the deployment of certain security feautres, for example, here I use the command to just auto-configure TCP Intercept:
R1# auto secure ? firewall AutoSecure Firewall forwarding Secure Forwarding Plane full Interactive full session of AutoSecure login AutoSecure Login management Secure Management Plane no-interact Non-interactive session of AutoSecure ntp AutoSecure NTP ssh AutoSecure SSH tcp-intercept AutoSecure TCP Intercept <cr> R1# auto secure tcp-intercept --- AutoSecure Configuration --- *** AutoSecure configuration enhances the security of the router, but it will not make it absolutely resistant to all security attacks *** AutoSecure will modify the configuration of your device. All configuration changes will be shown. For a detailed explanation of how the configuration changes enhance security and any possible side effects, please refer to Cisco.com for Autosecure documentation. At any prompt you may enter '?' for help. Use ctrl-c to abort this session at any prompt. Gathering information about the router for AutoSecure Is this router connected to internet? [no]: yes Enter the number of interfaces facing the internet [1]: 1 Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down Serial0/0 10.10.10.1 YES manual up up FastEthernet0/1 unassigned YES unset administratively down down Serial0/1 unassigned YES unset administratively down down Enter the interface name that is facing the internet: serial0/0 Tcp intercept feature is used prevent tcp syn attack on the servers in the network. Create autosec_tcp_intercept_list to form the list of servers to which the tcp traffic is to be observed Enable tcp intercept feature? [yes/no]: yes This is the configuration generated: ip tcp intercept list autosec_tcp_intercept_list ip tcp intercept drop-mode random ip tcp intercept watch-timeout 15 ip tcp intercept connection-timeout 3600 ip tcp intercept max-incomplete low 450 ip tcp intercept max-incomplete high 550 ! end Apply this configuration to running-config? [yes]: yes Applying the config generated to running-config command accepted, interfaces with mls configured might cause inconsistent behavior command accepted, interfaces with mls configured might cause inconsistent behavior command accepted, interfaces with mls configured might cause inconsistent behavior command accepted, interfaces with mls configured might cause inconsistent behavior command accepted, interfaces with mls configured might cause inconsistent behavior command accepted, interfaces with mls configured might cause inconsistent behavior R1#
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
Tags: CCIE R&S 4.0, CCIE Security 3.0
I remember playing with this back in the ISCW CCNP days but I kind of just forgot about it! Thanks for the refresher!