03-03-2004 07:50 AM - edited 03-02-2019 02:00 PM
Hi all;
I have two routers at different locations that are basically "open" as they sit in front of firewalls and pass all data.
My firewalls are doing all the protection as they are setup as a VPN between the two sites.
Both are 2600 series with one version at:
Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
-the other-
Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
I've got my non-cisco brand firewalls very locked down and feel comfortable, however I would like to update/improve the securtiy on my routers as another line of defense.
Any ideas would be appreciated. TIA
Steve
03-03-2004 08:39 AM
Ensure unused services are disabled (most of these are turned off in newer versions of IOS by default):
Disable small services (echo, discard, chargen, etc.):
no service tcp-small-servers
no service udp-small-servers
cdp - no cdp run
remote config-no service config
source routing - no ip source-route
BOOTP - no ip bootp server
Finger - no service finger
HTTP - no ip http server
Disable IP domain lookup-no ip domain-lookup
disable SNMP if you don't really need it- no snmp-server
(If you do need SNMP use an access-list to deny everything but your managment station access and use Read Only):
access-list 1 permit
snmp-server community hard_to_guess_string ro 1
Adminstratively shutdown unused interfaces
On used interfaces:
Disable directed broadcasts-no ip directed-broadcasts - this helps prevent "smurf" type attacks
Disable proxy arp - no ip proxy-arp
disable IP unreachables, redirects and mask replies:
no ip unreachable
no ip redirect
no ip mask-reply
Stuff to enable:
If you have a crypto version of IOS, enable SSH and use access-class on VTY lines to restrict access. If you don't have a crypto version of IOS, be sure to use an access-class on the vty lines:
access-list 1 permit
line vty 0 4
access-class 1 in
Ensure you have a banner motd that states "Unauthorized access to this system is prohibited..."
Use a local login username/password instead of just having a telnet password (since you only have two routers you can get by with using a local database:
username xxxx password xxxx
line vty 0 4
login local
Ensure you have strong passwords for your enable secret, usernames/passwords and telnet/ssh.
enable service password encryption and timestamps to use date and time instead of uptime:
service timestamps debug datetime
service timestamps log datetime localtime
service password-encryption
Ensure you have the correct date and time set on the box.
Some people like to put an inbound ACL on the incoming interface of their router that denies obvious fake source IPs and source IPs that exist in their internal network (anti-spoofing):
e.g. a named ACL (say your internal IP block is x.x.x.0/24):
ip access-list extended inbound
deny ip x.x.x.0 0.0.0.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 192.168.0.0 0.0.255.255 any log
permit ip any any
(newer versions of IOS show line numbers so you can quickly insert and remove entries without having to re-enter the whole ACL)
Normal ACL method:
access-list 199 deny ip x.x.x.0 0.0.0.255 any log
access-list 199 deny ip 169.254.0.0 0.0.255.255 any log
access-list 199 deny ip 127.0.0.0 0.255.255.255 any log
access-list 199 deny ip 10.0.0.0 0.255.255.255 any log
access-list 199 deny ip 172.16.0.0 0.15.255.255 any log
access-list 199 deny ip 192.168.0.0 0.0.255.255 any log
access-list 199 permit ip any any
Then apply it to your inbound interface:
ip access-group inbound in
If you have this ACL in place and there is a breach on your network you can quickly add a line into the ACL to block the offending host/attacker more quickly than you can probably change your firewall. A lot of people use this inbound ACL as a first line of defense when something new is released into the wild. It also can stop attacks, etc before they reach your firewall. A common example would be to use this ACL to block the ports used by some kind of virus out there until you can patch up all your hosts with the latest DAT files.
If you use routing protocols, use MD5 authentication if available (OSPF, EIGRP, etc have MD5)
My $.02
03-03-2004 08:50 AM
not to over simplify but a good tool to use (to get started) is cisco's output Interpreter. it will give you some good places to start. behind that the suggestions above a good ones.
03-03-2004 02:35 PM
I like Jamey's reply, but would emphasize that his suggestion should be considered the minimum acceptable.
On routers which are the first hop inside a firewall, I like to go a step further and put in access-lists which duplicate as much as possible the IP filtering already on the firewall. That way, when a wiley hacker does get through the firewall, you may be able to detect and stop him before he also works his way through your router.
It's more work, but could save you when a hacker does get through (and they will :-( ). The goal is defense in depth, aka redundant security. Of course, if no one is monitoring the firewall and router, you'll have no idea that either was penetrated, and you're wasting your time. Unfortunately, real security is not something you can install and forget. Like high availability, it requires constant attention.
Good luck and have fun!
Vincent C Jones
P.S. There is a lot more detail on the rational behind Jamey's suggestions in Chapter 8 of my book.
03-08-2004 12:49 PM
A follow up. I just read about this new 12.3 command called Auto Secure:
http://www.cisco.com/warp/public/732/releases/release123/major/highlights/
Pretty cool stuff.
-HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide