cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

232
Views
0
Helpful
0
Replies
Highlighted
Enthusiast

Securing an edge router with a public IP suggestions

I am a very new at protecting a Cisco router from Internet attacks when they have a dedicated IP address.  I tried the AutoSecure command, but it shut everything down even though I went through the question process with it. Security is not my area of specialty.    I am more of a CME person.

 

I am the vendor and we have a customer that we have a DMVPN connection to on an as needed basis.  Most of the time, the VPN is down.  But, when they need changes made on their router (mostly CME things), they enable the tunnel via a web page that I wrote.  Since both our edge router and theirs have a public IP address, I need to configure some good security.  There are no firewalls at either site beyond what Windows has built in. That Is a rabbit hold I don’t want to jump down just yet.

 

Both HA Q and Customer A are live on the Internet now and running companies so when I apply an access-list or any other command, I need to be sure to not cause interruption in their services or lose access to them via the VPN tunnel as the customer location is 35 miles away; it will be difficult to just restart the router.

 

Please see my topology below and make your recommendations as per my needs listed: 

 

The HQ location has a DMVPN tunnel to the Customer A router on the 172.16.1.0/16 network and we must be able to telnet from the HQ A router to the Customer A and Customer B routers through the tunnel ONLY.

 

The HQ location has another VPN between HQ and a Home location on the 172.31.0.0 network. 

The customer also has a VPN on the 172.20.0.0 network. 

Both of these tunnels stay up permanently and are completely separate from the HQ to Customer VPN.

 

We login into the HQ A router then telnet to the Customer A router.  If access is needed to the Customer B router, we must first connect to the Customer A router then telnet from the Customer A router to the Customer B router.

 

  • The HQ desktop computers will first access the HQ A router via Telnet of ssh on the internal network only and then from the HQ A router telnet to the Customer A router over the tunnel.
  • There shall be NO other way to telnet or ssh to any of the routers, ONLY through the tunnels
  • Both HQ and Customer's routers are DNS servers, this service must run
  • The customer does not need access to the command line configuration of any router, but should a technician be on site and need to log on to the customer's router, they need to be able to.
  • There is no routing between the customer's 192.168.100.0 network and the HQ location, just telnet through the tunnel
  • HQ has a tunnel to Home for remote access.  The home router is behind a cable modem.  VoIP runs on the tunnel and network access via static routes.
  • Customer has a tunnel to Home for remote access.  The home router is behind a cable modem.  VoIP runs on the tunnel and network access via static routes.
  • Both HQ and Customer run CME so VoIP services need Internet access
  • The HQ CME system is completely separate from the Customer's CME system.
  • Both HQ and Customer need normal Internet access
  • HQ A has an FTP server on 192.168.70.70 and needs tcp ports 21, 80, 443, 2000-2100.  Port forwarding has been configured and is working
  • HQ A has a second VPN for remote access (not Cisco and will be changed later) on 192.168.70.80 and has tcp & udp port 1194 open. Port forwarding has been configured and is working
  • Both sites use NTP
  • Customer A has special dental software that MUST have Internet access to work. No special ports are needed
  • Both HQ and Customer have and need https running on their routers.  However, there should be NO access to the router's web page via the Internet.  Internal access IS needed.
  • Both sites send and receive email with mail servers off site.
  • Customer's A router does send email messages via EEM
  • Any other security recommendation’s that you can make are welcome.

 

Below is a list of services that I shut down, a vty protection access-list, and a sample access-list for protecting the Internet connection.  What changes/deletions/additions do you suggest?

 

DISABLED SERVICES

no snmp-server

no service finger

no ip source-route

no ip proxy-arp

no ip directed-broadcast

no service tcp-small-servers

no service udp-small-servers

 

VTY PROTECTION

access-list 50 remark VTY_ACCESS_CONTROL

access-list 50 permit 192.168.0.0 0.0.255.255

access-list 50 permit 172.16.0.1 0.0.0.0

access-list 50 deny any

 

line vty 0 4

 access-class 50 in

line vty 5 15

 access-class 50 in

 

INTERNET PROTECTION

int g0/0

 ip access-group Protect in

 no ip redirec

 no ip mroute-cache

exit

 

ip access-list extended Protect

 remark Protect connections from Internet access and attacks

 permit tcp any any eq smtp

 permit tcp any any eq pop3

 permit tcp any any eq domain

 permit tcp any eq domain any

 deny tcp any any eq ftp-data

 deny tcp any any eq telnet

 permit udp any any eq domain

 permit udp any eq domain any

 deny udp any any eq snmp

 deny ip host 0.0.0.0 any

 deny ip 127.0.0.0 0.255.255.255 any 

 deny ip 192.168.0.0 0.0.0.255 any

 deny ip 172.16.0.0 0.0.255.255 any

 deny ip 10.0.0.0 0.255.255.255 any

 deny ip 224.0.0.0 31.255.255.255 any

 deny icmp any any redirect

 permit ip any any

 

Do I need to add the following for access to HQ A router FTP server which does have port 80 web services?

 permit tcp any host 192.168.69.61 eq www

 permit tcp any host 192.168.69.61 eq 443

 permit tcp any host 192.168.69.61 eq ftp

 permit tcp any host 192.168.69.61 gt 1023

 

 

HQ to Customer Topology.jpg

 

Everyone's tags (1)