10-02-2001 02:26 PM - edited 03-08-2019 08:48 PM
What commands would you suggest to add to a router that is exposed to the Internet to keep it from being attacked?
I have been given the following suggestions:
1) Add an access-class list to line vty 0 4 to ONLY allow for internal users to telnet to the router.
2) add command "no ip source-route" in global
3) add "no ip finger"
4) add the following to Internet interface:
ip verify unicast reverse-path
no ip redirects
no ip directed-broadcast
no ip proxy-arp
no cdp enable
10-03-2001 09:04 AM
The National Security Agency has published an excellent document describing Cisco routers hardening. I would stronly recommend you to read this document and take the information that applies to your environment. You can find the document at http://nsa2.www.conxion.com/cisco/index.html
10-09-2001 10:12 AM
Thank you for posting such a valuable resource. Anyway who takes network security seriously should read this document.
10-03-2001 11:46 AM
A couple you may want to add is service password encryption. Also, I like to set up a null device and route all non-routable addresses to the null interface. You can add no ip mask-reply (it may be set this way by default). Another idea is to add the encryption module for the router/switch and use SSH and scrap telnet and authenticate from a TACACS server. Depending on the traffic passing through the router and how much memory you have, enabling TCP intercept is a good idea. (The last one can be dangerous depending on your environment)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide