90+% of Cisco Router administrators are CLI jockeys, myself included. However, there are several GUI tools that can help you manage and secure your Cisco routers very quickly. The one I want to focus on today is Cisco’s free Security Device Manager (SDM). Like most of Cisco’s device managers it allows you to manage one router at a time. Given some of the recent security news regarding Cisco routers I thought this topic might be timely in helping you lock down your Cisco routers. To quote from the Cisco SDM site, “Cisco Router and Security Device Manager (SDM) is an intuitive, Web-based device management tool supported on Cisco 830 series through Cisco 7301 routers. SDM provides smart wizards and advanced configuration support for LAN and WAN configurations, NAT, Stateful Firewall Policy, Intrusion Prevention, IPSec virtual private network (VPN), Easy VPN Client and Server configurations, Digital Certificates, and Quality of Service (QoS) Policy features. SDM also offers a 1-click router lockdown and an innovative Security Auditing capability to check and recommend changes to router configuration based on ICSA Labs, and Cisco TAC recommendations.”
Two of the SDM security lockdown features that I want to bring to your attention are the Router Security Audit and One-click lockdown wizards. The security audit wizard uses Cisco TAC certified and ICSA best practice rules to audit your router’s current security posture. The SDM audit wizard will:
Here is a look at SDM’s home page
To Launch the Security Audit Wizard you click on the Perform Security Audit button
You then tell SDM what interfaces are external and which ones are internal so it knows which security policies checks apply based on an interfaces role.
The Audit wizard then runs through its checks and spits out a report like the one below:
As you can see you have the ability to click the Fix All button or click any of the Fix It check boxes. Any boxes you check will enable SDM to automatically fix them for you or in rare cases it takes you to the exact configuration screen where you can fix them. You can also export this report in HTML format. Click HERE for an example report. This can be filed away for when the auditors come knocking; preferably you’d run the report after you’ve fixed the problems :).
So to fix the problems you can use this wizard or run the other nice tool One-step Lockdown. When you run the One-step lockdown wizard it reconfigures your router to make it more secure. It uses Cisco TAC, NSA, and ICSA Labs recommendations for how to best secure a Cisco IOS router. The first thing you will see is this screen, once you click Deliver it will send the commands to the router.
Now when you run the audit wizard you get a nice report you can download and file away:
SDM offers a nice security dashboard. On the dashboard it lists the top 10 threats seen, these threats are downloaded from the Cisco Security Alert Center website. The SDM dashboard shows you the exact Cisco IOS IPS signature that is needed to alert and/or block these attacks. From here you can simply check the Deploy box next to any of the top 10 attacks and SDM will download and active the IOS IPS signatures on your router. Pretty slick! Be careful with IOS IPS though as it can drastically affect the performance of Cisco routers. But for remote sites with links that are 1 or 2 T1’s it works fine.
SDM also has a nice firewall wizard that will quickly run you through how to setup the basics of an IOS firewall. IOS routers have a very robust, and fast, fully stateful firewall.
The IOS firewall even supports deep packet inspection, otherwise known as an application firewall. It can stop P2P, IM, Web attacks, etc. It has many of the features Cisco’s ASA firewall platforms do.
And if you just can’t get away from the CLI for certain things, SDM can accommodate you there as well. It has a config editor built in where you can type in commands:
SDM can be installed either just on your workstation or it can be installed on the routers flash memory or both. Installing it just on your laptop saves router flash space.
For more information on SDM see below:
http://www.cisco.com/go/sdm
The supported IOS version for 2800 and 3800 ISR routers is 12.4(2)T or newer. For a complete list of hardware and software support, plus the readme for SDM see
here.
To download the latest SDM version go to http://www.cisco.com/cgi-bin/tablebuild.pl/sdm
The opinions and information presented here are my personal views and not those of my employer.
Jamey Heary, CCIE No. 7680, is a security consulting systems engineer at Cisco. He leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. Jamey is the author of the recently published Cisco NAC Appliance: Enforcing Host Security with Clean Access. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey has been working in the IT field for 14 years and in IT security for 9 years.
|
|
