03-14-2014 11:53 AM - edited 03-10-2019 12:12 AM
I have to install an ASR1001 on the internet for my company. I noticed the ASR1001 has a dedicated managment port and I was wondering if it's a security risk to have this mangment port directly connected to my LAN, so I can mange it from my desk.
I only want to manage the ASR from this port and I won't be doing any management through its public IP address. Is it possible for an attacker to compromise the router then have access to the network though this managment port?
Solved! Go to Solution.
03-14-2014 01:28 PM
I would say it's a manageable risk. If you intend to not allow any management sessions to come from the public side you're off to a good start implementing protection from attacks. Combine that with some basic hardening, e.g. disable source routing, directed broadcast, ip proxy arp, finger, along with an acl on the management interface so that any traffic sourced from an untrusted interface on the router would not be able to receive return traffic. Also, the management vlan should be a dedicated vlan. I wouldn't drop it in the same vlan your desktop sits in. Best design would be to drop it in a dmz (acl on the router management interface would be redundant in this case) and apply rules on the firewall. However, if that's not possible, control access in routing on the ASR as well by only including a /32 route to your management station via the managment vlan interface. Also, remove any redisribution or advertising of that management interface in your routing protocol.
03-14-2014 01:28 PM
I would say it's a manageable risk. If you intend to not allow any management sessions to come from the public side you're off to a good start implementing protection from attacks. Combine that with some basic hardening, e.g. disable source routing, directed broadcast, ip proxy arp, finger, along with an acl on the management interface so that any traffic sourced from an untrusted interface on the router would not be able to receive return traffic. Also, the management vlan should be a dedicated vlan. I wouldn't drop it in the same vlan your desktop sits in. Best design would be to drop it in a dmz (acl on the router management interface would be redundant in this case) and apply rules on the firewall. However, if that's not possible, control access in routing on the ASR as well by only including a /32 route to your management station via the managment vlan interface. Also, remove any redisribution or advertising of that management interface in your routing protocol.
03-17-2014 10:28 AM
Great, thanks for the ideas!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide