Solved: WAN Firewall and Network Security

NathanLKoch · ‎01-10-2020

I am entirely new to Cisco hardware and am slowly learning how to configure things via console. I have a 2911 running IOS 15.7.3. It's stock configuration with 3 GigabitEthernet interfaces. I also have a 4948 Switch. What I am wanting to do currently is Configure 1 Interface for WAN and use another to directly connect to my switch with OSPF and possibly do a vlan or two.

Before I connect to the internet I want to do a few things. I want to disable all remote management. ssh, telnet, http, etc. I setup through the "setup" wizard and believe everything is disabled but would like to disable any vector that would allow exploitation other than physically being connected to console.

I am familiar with pf and ufw as far as firewalls go and I am aware 99% of firewall issues are outbound traffic. but I would like to setup a block all incoming on WAN interface with some more information on possibly allowing certain traffic to certain ports on vlan ips.

Tutorials would be great. I want to deny all incoming traffic before I connect this to the internet.

Thank you,

Nate

---------------------
"Fortune favors the brave."
▊▊▊

Rob Ingram · ‎01-12-2020

Your initial requirement was to deny inbound traffic on the outside interface, so you'd want to drop.

View solution in original post

Rob Ingram · ‎01-11-2020

Hi,

You can restrict access just to the router by using an ACL applied to the VTY line, example here.

To control traffic through the router, you can again use an ACL or alternatively use Zone Based Firewall (ZBFW), example here and here. ZBFW is stateful so will keep track of the connections.

HTH

NathanLKoch · ‎01-11-2020

I followed the tutorial. I didn't need the DMZ thought. I have some questions. Here is my config:

class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
 match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
 match access-group name OUTSIDE-TO-INSIDE
!         
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE-CLASS
  inspect 
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass    
 class class-default
  drop log
!         
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!         
!         
interface GigabitEthernet0/0
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security OUTSIDE
 no ip route-cache
 duplex auto
 speed auto
 no mop enabled
!         
interface GigabitEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 zone-member security INSIDE
 no ip route-cache
 shutdown 
 duplex auto
 speed auto
 no mop enabled
!       
!         
ip access-list extended INSIDE-TO-OUTSIDE
ip access-list extended OUTSIDE-TO-INSIDE
!         
!         
access-list 100 permit udp any any eq bootpc
!

policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE-CLASS
  pass

What's confusing me is this outside-to-inside-class? Shouldn't it be inspect and the other? Does this look like a good way to block all incoming connections on my wan port?

---------------------
"Fortune favors the brave."
▊▊▊

Rob Ingram · ‎01-12-2020

Your initial requirement was to deny inbound traffic on the outside interface, so you'd want to drop.

Marvin Rhoads · ‎01-11-2020

You can disable all interfaces except one from even responding to management traffic by using the management plane protection feature.

Reference:

https://www.cisco.com/c/en/us/td/docs/ios/security/configuration/guide/sec_mgmt_plane_prot.html#wp1049317

NathanLKoch · ‎01-11-2020

#show management-interface
No management interfaces configured

(none of the things meme)

What are these things?

line con 0

line aux 0

line 2

line vty 0 4?

---------------------
"Fortune favors the brave."
▊▊▊

Marvin Rhoads · ‎01-12-2020

The various line commands are described in detail in this book excerpt:

https://www.oreilly.com/library/view/cisco-ios-in/0596008694/ch04.html

NathanLKoch · ‎01-12-2020

Thank you for your help.

!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 transport output telnet
 speed 115200
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line 2
 exec-timeout 15 0
 login authentication local_auth
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 supersecurepassword
 login authentication local_auth
 transport input telnet
!

I want to disable line 2 and vty but I'm not sure what they are. vty is any ip based service like telnet and ssh. but what is line 2?

At some point I want to use my aux port to link my router to my switch so I only have to use one console cable.

---------------------
"Fortune favors the brave."
▊▊▊