Securing Work Enviroment using Cisco 871 ISR

elmidwill · ‎10-12-2006

Hello All,

besides putting up a NAT and freating Access-List are there other ways to improve security using the 871 router? What are some other options I have? What does the inspect command do? Thanks.

b.speltz · ‎10-18-2006

This command enables the stateful packet inspection in the Cisco IOS .This command has to be enabled in the policy map configuration mode

elmidwill · ‎10-23-2006

And what do you mean by stateful? and how does one get into policy map config mode?

clausonna · ‎10-24-2006

There are tons of things you can do to secure a Cisco router. You can protect it from DDOS attacks with management plane and control plane protection. You can use the ip Inspect command (also known as CBAC - content based access control)to create dynamic firewall entries (i.e. by default, you allow everything outbound, but -nothing- inbound expect traffic that is returning to sessions that were intiated by internal devices.) You can enable Intrusion Detection / Prevention (IPS) and enable high-risk signatures.

Your best bet is to use the SDM (security and device manager) to start, even if you're a CLI guy, because the SDM GUI helps you get familiar with the different functional areas.

Next, I'd get a copy of Richard Deal's CiscoPress book "Router Firewall Security". I've been doing router security for a while now and I still refer to it.

If you want, post a copy of your config (w/ passwords edited out) and I'd be happy to suggest some improvements.

elmidwill · ‎10-25-2006

Current configuration : 3146 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Jtizzle

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

username privilege 15 secret 5

no aaa new-model

ip subnet-zero

ip cef

!

no ip domain lookup

ip domain name yourdomain.com

ip name-server 24.x.x.114

no ftp-server write-enable

!

interface FastEthernet0

no ip address

no cdp enable

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

ip address 24.235.x.x.255.255.248

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.10.10.1 255.255.255.248

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 24.235.110.161

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat pool mtm1 24.235.110.163 24.235.110.165 netmask 255.255.255.248

ip nat inside source list 10 pool mtm1 overload

ip nat inside source static tcp 10.10.10.2 21 24.235.110.162 21 extendable

ip nat inside source static tcp 10.10.10.2 80 24.235.110.162 80 extendable

ip nat inside source static tcp 10.10.10.2 110 24.235.110.162 110 extendable

ip nat inside source static tcp 10.10.10.2 3389 24.235.110.162 3389 extendable

ip nat inside source static tcp 10.10.10.2 52134 24.235.110.162 52134 extendable

!

access-list 10 permit 10.10.10.0 0.0.0.7

access-list 101 permit tcp any host 24.235.110.162 eq telnet

access-list 101 permit tcp any host 24.235.110.162 eq 3389

access-list 101 permit tcp any host 24.235.110.162 eq www

access-list 101 permit tcp any host 24.235.110.162 eq ftp

access-list 101 permit tcp any host 24.235.110.162 eq 52134

no cdp run

!

control-plane

!

banner login ^C

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want to use

.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------------

^C

!

line con 0

login local

no modem enable

transport preferred all

transport output all

line aux 0

transport preferred all

transport output all

line vty 0 4

privilege level 15

password xxx

login

transport preferred all

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end

As you might be aware I am just getting the feel for the CLI and would prefer using that just because of the issues I have had with SDM in the past. There is also another crutial command that I am missing\ or need to omit to get user internall to access the Internet. If you could provide me with that as well it would be greatly appreciated. I'll check out that book you mentioned. Thanks.

clausonna · ‎10-26-2006

Here's what you need to do to get running. Send me an email at clausonna@gmail.com RIGHT AWAY because you have another issue that needs attention.

!-- create the CBAC rules. You can call 'cbac-fw' anything you want

ip inspect cbac-fw icmp

ip inspect cbac-fw ftp

ip inspect cbac-fw http

ip inspect cbac-fw dns

ip inspect cbac-fw tcp

ip inspect cbac-fw udp

int f4

!-- apply the ip inspect rules. This is what's causing you problems right now.

ip inspect cbac-fw out

exit

! create a dhcp pool for the users, assuming you don't have one already

ip dhcp pool dchp-pool

network 10.10.10.0 255.255.255.248

dns-server

default-router 10.10.10.1

domain-name yourdomain.com

exit

ajagadee · ‎10-24-2006

Below is a link on Improving Security on Cisco Routers

http://www.cisco.com/warp/customer/707/21.html

Let me know if it helps.

Regards,

Arul