Cisco 1720 security

kidem · ‎06-23-2004

Can some one point out some things in my config to make it more secure, more access-list etc

here is the config

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router1

!

logging buffered 4096 debugging

enable secret 5

!

memory-size iomem 15

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

ip dhcp pool dhcppool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

lease 7

!

no ip bootp server

ip audit attack action alarm reset

ip audit notify log

ip audit po max-events 100

ip cef

!

interface Ethernet0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

half-duplex

ntp disable

no cdp enable

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

speed auto

no cdp enable

!

ip nat inside source list 1 interface Ethernet0 overload

ip classless

no ip http server

ip pim bidir-enable

!

logging 10.10.10.66

access-list 1 permit 10.0.0.0 0.255.255.255 log

access-list 10 deny any log

access-list 100 deny icmp any any echo log

access-list 100 deny icmp any any redirect log

access-list 100 deny icmp any any mask-request log

access-list 100 permit ip any any log

access-list 100 deny icmp any any net-unreachable log

access-list 100 deny icmp any any host-unreachable log

access-list 100 deny icmp any any port-unreachable log

access-list 100 deny icmp any any parameter-problem log

access-list 100 deny icmp any any packet-too-big log

access-list 100 deny icmp any any administratively-prohibited log

access-list 100 deny icmp any any source-quench log

access-list 100 deny icmp any any echo-reply log

access-list 100 deny icmp any any ttl-exceeded log

no cdp run

!

line con 0

line aux 0

line vty 0 4

access-class 1 in

access-class 10 out

password <password>

no login

telnet refuse-negotiations

!

no scheduler allocate

end

vkapoor5 · ‎06-29-2004

The configuration seems to be secure. But, creating just ACL's would not have any effect. In your configuration, you have created ACL 100 but didn't apply to any interface.

And please refer these tips of Cisco.

http://www.cisco.com/warp/public/cc/so/neso/sqso/secsol/cybsc_ov.htm

dmunyak · ‎08-12-2004

kidem,

Your access-list needs some help. without know what your particular access needs are, it's hard to say what needs to be fixed.

However, I am using a 1721 myself AND am going through the same thing...tweaking the security. I have found two references that in my opinion have been very helpful.

O'Reilly Cisco IOS access list...nothing but access-lists ISBN1-56592-385-5 bought it used $9 US

The SANS Institute, Securing Cisco Routers: Step-by-Step ISBN0-9724273-3-3.

With respect to access-lists, think about using extended access-lists with eq established OR Reflexive access-lists. I think you also want to enable service password-encryption.

There are quite a few things you can do...and these resources will help you...as they have helped me.

spremkumar · ‎08-12-2004

Hi

Try this link .

http://www.informit.com/articles/article.asp?p=102180&seqNum=1

Do apply the necessary ACLs required to combat unecessary worms/virus traffic tht may affect ur networks performance.

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

Before applying your ACL 100 to any interface do remember to add permit ip any any in the end otherwise traffic wont move since u r denying everything in that ACL and in the end of each ACL implicit deny statement is there by default.

regds

prem