Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2281
Views
35
Helpful
14
Replies

is it important to secure a CPE router

SaifAlmodares8882
Level 1
Level 1

‎05-08-2019 10:18 AM - edited ‎05-08-2019 10:37 AM

i have a CPE router (Cisco LSR 4000 series)and i will be configure it, i also have a firewall that sits after the CPE that will handle everything 

the CPE will be only connecting my network to the ISP 

 

my question is do i have to do anything related to secure this router? except for the passwords

 

 

0 Helpful
14 Replies 14

Rob Ingram
VIP
VIP

‎05-08-2019 10:58 AM

Hi,

You should still secure the router, with VTY ACL to restrict access to the router, SNMP, Syslog, Banner, AAA, Routing protocol authentication and general device hardening etc. The Cisco IOS device hardening guide has more information.

 

HTH

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 11:06 AM

thanks!

 

0 Helpful

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 11:12 AM

wow this is a lot 

do i need to everything in this guide ? is there a short way or list of commands to do it? i dont think i have enough time until the day of switching the router 

it would be great if u provide me with short way :)

 

best

 

0 Helpful

Rob Ingram
VIP
VIP
In response to SaifAlmodares8882

‎05-08-2019 11:27 AM

VTY ACL to restrict access to the router, SNMP, Syslog, Banner, AAA, Routing protocol authentication is a good start and probably the minimum you should configure.

Make sure you disable telnet in the VTY lines and use SSH instead.

HTH

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 11:30 AM

you mean set the VTY to deny all for these services (SNMP, Syslog, Banner, AAA, Routing protocol authentication) and permit through only local interface?
0 Helpful

Rob Ingram
VIP
VIP
In response to SaifAlmodares8882

‎05-08-2019 11:38 AM

That was just a list of protocols to configure, at a minimum do the following:-

- ACL to secure mgmt access to the VTY lines
- SNMPv3 with an ACL to restrict access
- Send logs to syslog server
- Banners
- Routing protocol authentication
- AAA

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 11:43 AM

i see, correct me if am wring please
-ACL to secure mgmt access to the VTY lines
- SNMPv3 with an ACL to restrict access
- Send logs to syslog server (i dont need to set this if i dont have syslog server)
- Banners
- Routing protocol authentication (i am suing only default route do i need to do authentication for all other protocols)
- AAA (authentication service, do i need to use it)
0 Helpful

Rob Ingram
VIP
VIP
In response to SaifAlmodares8882

‎05-08-2019 11:47 AM

Sure, if you aren't using a routing protocol you don't need to authentication. The Syslog and AAA would be advisable, but if you don't have these systems in place then ok. These were just general suggestions.

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 11:51 AM - edited ‎05-08-2019 12:08 PM

so nothing left for me to configure except for

-disabling telnet and enabling SSH with ACL

-create strong passwords for acceding global, vty,...etc

-set passwords lockout time 

-banners

-disable icmp

 

what about DDoS? i have web servers on premises but they are behind the firewall do i still need to disable ICMP from outside?

0 Helpful

Rob Ingram
VIP
VIP
In response to SaifAlmodares8882

‎05-08-2019 12:11 PM

Well, if there is a firewall behind the router, then let that device protect the webservers, Layer 7 inspection/DDoS etc. You just want to secure the router, not necessarily block transit traffic (unless a valid reason to block transit traffic on the router).

It's up to you whether you want to block icmp to the webservers, if you don't need it then block it on the firewall.

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 12:14 PM

its already set on the firewall, but i believe that i need to block icmp on the router because once the attacker know the web server IP it will be easy to guess the router ip and flood it with ping requests, right?
0 Helpful

Rob Ingram
VIP
VIP
In response to SaifAlmodares8882

‎05-08-2019 12:22 PM

If an attacker knows the IP address of the webserver they are probably going to do more than ping flood your devices. If you do block icmp on your router you said you don't have a syslog server, so you'll get no alerts of any blocks.

The best place to filter all traffic is on the firewall, which is has the logging functionality, so you'll get alerts and can react.

SaifAlmodares8882
Level 1
Level 1
In response to Rob Ingram

‎05-08-2019 12:26 PM

so no need to block ICMP...i ahve everything set on the firewall and it works fine

i do have Nagios, is this considered to be syslog server? i can set the SNMP on the router to log everyhting to Nagios
0 Helpful

Rob Ingram
VIP
VIP
In response to SaifAlmodares8882

‎05-08-2019 12:31 PM

No need to block icmp or any transit traffic on the router, up to you if you block icmp on the firewall.

Yes, you can use nagios for syslog and snmp.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents