Netband Project - Device hardening

From Teknologisk videncenter
Revision as of 12:46, 16 April 2009 by Sahan109 (talk | contribs) (Disable Unused Services)
Jump to: navigation, search

<accesscontrol>NetBand</accesscontrol> This page is part of the Netband Project

  • Management Plane—The management plane manages traffic that is sent to the Cisco IOS device and is made up of applications and protocols such as SSH and SNMP.
  • Control Plane—The control plane of a network device processes the traffic that is paramount to maintaining the functionality of the network infrastructure. The control plane consists of applications and protocols between network devices.
  • Data Plane—The data plane forwards data through a network device. The data plane does not include traffic that is sent to the local Cisco IOS device.

Exclusive Configuration Change Access

  • ensures that only one administrator makes configuration changes to a Cisco IOS device at a given time.
B1rt1(config)#configuration mode exclusive auto
!
B1rt1(config)#interface fa0/0
Configuration mode locked exclusively by user 'admin' process '56' from terminal '195'. Please try later.

Cisco IOS Software Resilient Configuration

  • stores a copy of the Cisco IOS software image and device configuration that is currently being used by a Cisco IOS device.
  • Can only be disabled through console access 
secure boot-image
secure boot-config

B1rt1#sh secure bootset
IOS resilience router id FCZ111910E5

IOS image resilience version 12.4 activated at 11:05:51 UTC Thu Apr 16 2009
Secure archive flash:c2801-advipservicesk9-mz.124-9.T.bin type is image (elf) []
  file size is 30588892 bytes, run size is 30754576 bytes
  Runnable image, entry point 0x8000F000, run from ram

IOS configuration resilience version 12.4 activated at 11:06:11 UTC Thu Apr 16 2009
Secure archive flash:.runcfg-20090416-110611.ar type is config
configuration archive size 4555 bytes

B1rt1(config)#no secure boot-config
%You must be logged on the console to apply this command

B1rt1(config)#secure boot-config restore flash:rescueconf
ios resilience:configuration successfully restored as flash:rescueconf

Reserve Memory for Console Access

  • used in order to reserve enough memory to ensure console access to a Cisco IOS device
memory reserve console 4096

Memory Leak Detector

  • used in order to check the memory structures of a device and acquire the latest crash information to determine what processes corrupt the chunks.
scheduler heapcheck process memory

Buffer Overflow: Detection and Correction of Redzone Corruption

  • A memory block overflow problem is detected in the Cisco IOS software when the value of an area in the memory block called the "redzone" is checked
  • When a memory block overflow problem is detected in packet memory, software will change the memory block header data back to its correct value.
exception memory ignore overflow io
exception memory ignore overflow processor

show memory overflow

EXEC Timeout

  • logs out sessions on vty or tty lines that are left idle.
  • Default is 10 minutes
line con 0
 exec-timeout 5
line vty 0 4
 exec-timeout 5

Disable Unused Services

no ip finger
ip dhcp bootp ignore
no mop enabled 
no service pad
no ip http server 
no service config
no lldp run global

External links

Cisco Guide to Harden Cisco IOS Devices

Retrieved from "http://mars.merhot.dk/w/index.php?title=Netband_Project_-_Device_hardening&oldid=3836"