I was browsing through the security docs the other day and came across CPPr. For detailed info go here.
This is a feature for securing devices. I used to work for a company that adhered to DISA security standards. One of things that was a pain was restricting what interfaces could be used for management. We only wanted certain interfaces to allow management protocols. There were ways to get creative, but it's a lot easier now.
Enter configuration commands, one per line. End with CNTL/Z.
We can now (easily) restrict which interfaces can use what management protocol! My only complaint is that we can't use this on loopbacks which is where most/all management protocols live.
The second part I found useful is the ability to drop packets BEFORE they hit the CPU. Nice!
First let's look to see what "daemons" are running on the router.
ROUTER#show control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:22 *:0 SSH-Server LISTEN
tcp *:23 *:0 Telnet LISTEN
udp *:123 *:0 NTP LISTEN
Telnet is there by default. SSH and NTP showed up once I configured them. We should disable telnet. There never really was a way to disable telnet, all we could do is not use it and configure SSH and permit it. Telnet was still running though. Even though we still can't disable telnet, this is the next best thing. First we create the class map. In this example we're dropping packets that are destined to the router for ports that are not open [match closed-ports]. That certainly makes sense. Let's also drop all telnet connects too [match port tcp 23]. Now this may be belt-and-suspenders when also configuring transport under the VTY's, but I like the idea of being able to "firewall" my control plane.
class-map type port-filter match-any CLOSED_PORTS
match port tcp 23
Next we create the policy map. In the real world you probably don't want the log keyword, but it's helpful when learning stuff in the lab.
policy-map type port-filter FILTER_CLOSED_PORTS
We apply it to the control plane and then test.
service-policy type port-filter input FILTER_CLOSED_PORTS
I tried to telnet from a neighboring router and I was denied. On the host router I had the following in the buffer log.
*Nov 8 18:33:03.089: %CP-6-TCP: DROP TCP/UDP Portfilter 192.168.100.2(47624) -> 192.168.100.1(23)
Awesome. One thing to note is that you may want to completely configure your router before applying this. There may be things running you were not expecting. I didn't allow DHCP and that broke my home network since my router is running DHCP
Dear Team ; The current configuration of wireless network is with 802.1x using external group AD Now we want to change the configuration using both of mac authentication and 802.1xIn WLC , Wlans –> Wlans > Security -> layer 2 ->...
I have number of servers with Redis Pipeline (redis.io/topics/pipelining) enabled. A FTD is managing routing access between servers like this:Redis client --->FTD--->Redis Servers192.168.2.10/24-->192.168.70.33/24192.168.2.10/24-->192.168...
Hello, I upgraded CSM 4.19 to 4.22 SP1 to be covered from the CVE-2020-27131 vulnerability.The thing is that the scan finds again this vulnerability. The customer informed me that this path cwhp/CSMSDesktop/about.jsptrigger...
I have a weird issue here, where I'm not sure if the fault lies with the Intel Wireless driver or AnyConnect or Windows 10 or something else.
Client has a public IPv6 address and a private IPv4 address on the Wi-Fi adapter. CPE has a public IPv4...
Hello,I'd like to configure the ospf bi-directional forwarding on a FTD 2130 using FDM.Could someone help me? I've checked on FDM, there weren't any BFD CLI commands in OSPF config even I clicked on "SHOW DISABLED". But I saw in BGP config.Maybe I ca...