Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
5
Replies

Locking down VPN gateway

roslerd
Level 1
Level 1

‎04-19-2001 06:44 AM - edited ‎02-21-2020 11:19 AM

Hi,

what measures are necessary or recommended to lock down a IOS VPN gateway (2621, IOS 12.1.2) using IPSec for remote access?

The obvious I can think of is only to allow UPD 500 and protos 50/51 (we will only use ESP/tunnel) on the external interface. Mode config is used to assign an private IP internally; cert-based authentication.

Does anyone have any pointers or advice? I am sure that this is an issue that many people are (should be) interested in, but I could not find anything... :(

Regards

Dirk

Labels:
0 Helpful
5 Replies 5

s.jankowski
Level 4
Level 4

‎04-25-2001 09:14 AM

Firewalling is a separate issue altogether from VPN. If you have the Firewall feature set on your router, you can activate that or better yet, set a firewall out in front of the router. Search Cisco for CBAC (context-based access control)

0 Helpful

roslerd
Level 1
Level 1
In response to s.jankowski

‎04-25-2001 09:45 AM

Thanks, i agree that firewalling is a different issue. But apart from that is it necessary to 'harden' an IOS-based VPN server? I am also thinking about the VPN policy, i.e. who's allowed to connect and what are they allowed to do?

In our case a firewall be be deployed, but I am sure that many people use a VPN gateway "in front" of the firewall. Then it must be robust enough.

Thanks for the hint on CBAC, I'll follow that up!

Regards

Dirk

0 Helpful

j.alleger
Level 1
Level 1
In response to roslerd

‎04-26-2001 10:26 AM

Hello Dirk,

Sounds like you have more of a AAA issue than a Firewall issue. A RADIUS or TACACS+ server can work from an existing NT database to provide Authenticaton and Authorization (who can connect and what are they allowed to do) for VPN clients. Windows2000 Server has a RADIUS service (Internet Authentication Service) that will do the trick. WindowsNT will require a third party Security Server solution (CiscoSecure ACS, Steel-Belted RADIUS, etc.)

Employing CBAC(Firewall IOS) is a good idea on any access router, that coupled with an access list that allows only protocols 50 & 51 (AH & ESP) and UDP port 50 (ISAKMP) will provide excellent protection.

0 Helpful

jtiso
Level 1
Level 1
In response to s.jankowski

‎04-26-2001 10:38 AM

What you can do (aside from firewalling) is take a look at the paper on CCO:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm

http://www.cisco.com/warp/public/707/21.html

Turn off unneccesary services, encrypt pw, etc..

0 Helpful

roslerd
Level 1
Level 1
In response to jtiso

‎04-26-2001 12:42 PM

Thanks everybody,

these are great tips. We will certainly have to look at some sort of AAA integration. Thanks for hinting at NT domains and Win 2K for that purpose.

Thanks also for the links to those papers! Maybe I can help you out some time too, but you don't seem to need it :-) .

Regards from London

Dirk

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents