04-19-2001 06:44 AM - edited 02-21-2020 11:19 AM
Hi,
what measures are necessary or recommended to lock down a IOS VPN gateway (2621, IOS 12.1.2) using IPSec for remote access?
The obvious I can think of is only to allow UPD 500 and protos 50/51 (we will only use ESP/tunnel) on the external interface. Mode config is used to assign an private IP internally; cert-based authentication.
Does anyone have any pointers or advice? I am sure that this is an issue that many people are (should be) interested in, but I could not find anything... :(
Regards
Dirk
04-25-2001 09:14 AM
Firewalling is a separate issue altogether from VPN. If you have the Firewall feature set on your router, you can activate that or better yet, set a firewall out in front of the router. Search Cisco for CBAC (context-based access control)
04-25-2001 09:45 AM
Thanks, i agree that firewalling is a different issue. But apart from that is it necessary to 'harden' an IOS-based VPN server? I am also thinking about the VPN policy, i.e. who's allowed to connect and what are they allowed to do?
In our case a firewall be be deployed, but I am sure that many people use a VPN gateway "in front" of the firewall. Then it must be robust enough.
Thanks for the hint on CBAC, I'll follow that up!
Regards
Dirk
04-26-2001 10:26 AM
Hello Dirk,
Sounds like you have more of a AAA issue than a Firewall issue. A RADIUS or TACACS+ server can work from an existing NT database to provide Authenticaton and Authorization (who can connect and what are they allowed to do) for VPN clients. Windows2000 Server has a RADIUS service (Internet Authentication Service) that will do the trick. WindowsNT will require a third party Security Server solution (CiscoSecure ACS, Steel-Belted RADIUS, etc.)
Employing CBAC(Firewall IOS) is a good idea on any access router, that coupled with an access list that allows only protocols 50 & 51 (AH & ESP) and UDP port 50 (ISAKMP) will provide excellent protection.
04-26-2001 10:38 AM
What you can do (aside from firewalling) is take a look at the paper on CCO:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm
http://www.cisco.com/warp/public/707/21.html
Turn off unneccesary services, encrypt pw, etc..
04-26-2001 12:42 PM
Thanks everybody,
these are great tips. We will certainly have to look at some sort of AAA integration. Thanks for hinting at NT domains and Win 2K for that purpose.
Thanks also for the links to those papers! Maybe I can help you out some time too, but you don't seem to need it :-) .
Regards from London
Dirk
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: