Securing an edge router with a public IP suggestions
I am a very new at protecting a Cisco router from Internet attacks when they have a dedicated IP address. I tried the AutoSecure command, but it shut everything down even though I went through the question process with it. Security is not my area of specialty. I am more of a CME person.
I am the vendor and we have a customer that we have a DMVPN connection to on an as needed basis. Most of the time, the VPN is down. But, when they need changes made on their router (mostly CME things), they enable the tunnel via a web page that I wrote. Since both our edge router and theirs have a public IP address, I need to configure some good security. There are no firewalls at either site beyond what Windows has built in. That Is a rabbit hold I don’t want to jump down just yet.
Both HA Q and Customer A are live on the Internet now and running companies so when I apply an access-list or any other command, I need to be sure to not cause interruption in their services or lose access to them via the VPN tunnel as the customer location is 35 miles away; it will be difficult to just restart the router.
Please see my topology below and make your recommendations as per my needs listed:
The HQ location has a DMVPN tunnel to the Customer A router on the 172.16.1.0/16 network and we must be able to telnet from the HQ A router to the Customer A and Customer B routers through the tunnel ONLY.
The HQ location has another VPN between HQ and a Home location on the 172.31.0.0 network.
The customer also has a VPN on the 172.20.0.0 network.
Both of these tunnels stay up permanently and are completely separate from the HQ to Customer VPN.
We login into the HQ A router then telnet to the Customer A router. If access is needed to the Customer B router, we must first connect to the Customer A router then telnet from the Customer A router to the Customer B router.
The HQ desktop computers will first access the HQ A router via Telnet of ssh on the internal network only and then from the HQ A router telnet to the Customer A router over the tunnel.
There shall be NO other way to telnet or ssh to any of the routers, ONLY through the tunnels
Both HQ and Customer's routers are DNS servers, this service must run
The customer does not need access to the command line configuration of any router, but should a technician be on site and need to log on to the customer's router, they need to be able to.
There is no routing between the customer's 192.168.100.0 network and the HQ location, just telnet through the tunnel
HQ has a tunnel to Home for remote access. The home router is behind a cable modem. VoIP runs on the tunnel and network access via static routes.
Customer has a tunnel to Home for remote access. The home router is behind a cable modem. VoIP runs on the tunnel and network access via static routes.
Both HQ and Customer run CME so VoIP services need Internet access
The HQ CME system is completely separate from the Customer's CME system.
Both HQ and Customer need normal Internet access
HQ A has an FTP server on 192.168.70.70 and needs tcp ports 21, 80, 443, 2000-2100. Port forwarding has been configured and is working
HQ A has a second VPN for remote access (not Cisco and will be changed later) on 192.168.70.80 and has tcp & udp port 1194 open. Port forwarding has been configured and is working
Both sites use NTP
Customer A has special dental software that MUST have Internet access to work. No special ports are needed
Both HQ and Customer have and need https running on their routers. However, there should be NO access to the router's web page via the Internet. Internal access IS needed.
Both sites send and receive email with mail servers off site.
Customer's A router does send email messages via EEM
Any other security recommendation’s that you can make are welcome.
Below is a list of services that I shut down, a vty protection access-list, and a sample access-list for protecting the Internet connection. What changes/deletions/additions do you suggest?
no service finger
no ip source-route
no ip proxy-arp
no ip directed-broadcast
no service tcp-small-servers
no service udp-small-servers
access-list 50 remark VTY_ACCESS_CONTROL
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 50 permit 172.16.0.1 0.0.0.0
access-list 50 deny any
line vty 0 4
access-class 50 in
line vty 5 15
access-class 50 in
ip access-group Protect in
no ip redirec
no ip mroute-cache
ip access-list extended Protect
remark Protect connections from Internet access and attacks
permit tcp any any eq smtp
permit tcp any any eq pop3
permit tcp any any eq domain
permit tcp any eq domain any
deny tcp any any eq ftp-data
deny tcp any any eq telnet
permit udp any any eq domain
permit udp any eq domain any
deny udp any any eq snmp
deny ip host 0.0.0.0 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.168.0.0 0.0.0.255 any
deny ip 172.16.0.0 0.0.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 220.127.116.11 18.104.22.168 any
deny icmp any any redirect
permit ip any any
Do I need to add the following for access to HQ A router FTP server which does have port 80 web services?
I'm using AMP, and when I activated the SecureX Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it?
You can clear the SecureX Authorizatio...
I'm using Umbrella, and when I activated the Ribbon, I mistakenly used the wrong account to connect to SecureX. Now my SecureX Ribbon is connected to the wrong account. How do I fix it?
You can clear the SecureX Authorization for t...
Hi, I saw certain endpoint running state is Unauthorized, UZ. Therefore I check in ISE found some details which I not sure related to endpoint being UZ or not , which is Invalid username or password under context endpoint. I do see the cert...
I'm using Cisco Defense Orchestrator (CDO), and when I activated the Ribbon, I mistakenly used the wrong account. Now my SecureX Ribbon is connected to the wrong account. How do I fix it?
We're working on a way for you to de-authorize ...
I'm using Stealthwatch Cloud, and when I activated the Ribbon, I mistakenly used the wrong account. Now my SecureX Ribbon is connected to the wrong account. How do I fix it?
We're working on a way for you to de-authorize the Ribbon and ...