12-03-2007 12:07 AM - edited 03-03-2019 07:45 PM
hi pro's,
This is my internet router configuration which is directly connected to internet and other interface is connected to firewall .is this configuration sufficient enough against any attacks.
please review this and post your suggestions.
best regards
yogesh
12-03-2007 12:15 AM
Hi
1) access-list "Fortigate" is not applied to any interface. If it is meant to be applied to the outside interface not such a good idea. Routers should route rather than do the function of a firewall although there is some basic filtering you can do (see 3).
2) You don't show the config for vty access but you should lock it down to who can access and if possible use ssh only.
3) Make sure you have done the standard router hardening eg. turn off small-services, no ip directed-broadcast etc.
4) You can do some basic filtering for networks in an access-list on the outside interface eg RFC 1918 address space filtering. Attached is a link for more details.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
HTH
Jon
12-03-2007 12:30 AM
Hi,
Thnx for the reply.
i don't have my routers and switches in any domain.and for SSH that is the first requirement, can i put my routers and switches in domain one by one without disturbing my network.
12-03-2007 12:52 AM
Hi
I have never done it but i think you should be okay configuring a domain name on your switches / routers without any adverse effects on the network.
FYI, attached is another doc that covers basic router security
http://www.cisco.com/warp/public/707/21.html
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide