Security Basics mailing list archives
Re: Help hardening router
From: John Morrison <john.morrison101 () googlemail com>
Date: Tue, 9 Mar 2010 14:43:38 +0000
Joe, To protect, or secure, the router there are a few basics. These boil down to: Install the latest IOS updates Only run required services and disable all others Allow only authenticated and encrypted access to the router Use ACLs to control remote access to the router See http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml Latest IOS Update ============== Download and installed the latest IOS for your device. Check the Cisco site for any minor updates and apply those if they are relevant to your environment. For example, if you don't have an ISDN interface you don't fixes that are specific to that interface model. You can check information about your IOS revision here: http://www.cisco.com/cisco/web/psa/troubleshoot.html Required Service ============== Use no service, etc. to stop services. If you have an IOS revision of 12.0 or later many services (e.g. small udp and small tcp) are disabled by default. I notice you have stopped the DHCP service, but also have DHCP configured. Did you want to do this? Use the most secure version of a protocol. For example, SNMPv3, sftp, etc. Authenticated and Encrypted Access ============================ Encrypt passwords as type 7 (using enable secret, service password-encryption, etc.) Use local or TACACS+ for greater control of authentication. For example, aaa local authentication attempts max-fail <max-attempts> Only allow access with encrypted connections, such as sftp, https, ssh, etc. Disable and block access with unencrypted protocols, e.g. ftp, http, telnet, etc. line vty 0 4 transport input ssh line aux 0 transport input none transport output none no exec exec-timeout 0 1 no password Use secure names for SNMP community strings and if you can use SNMPv3 and its greater levels of security. Use ACLs to Control Remote Access to Router ==================================== Use ACLs to block insecure protocols, such as, ftp, http, telnet, etc. Use ACLs to only allow access from your management addresses. Block all management traffic on interfaces to untrusted networks. Use ACLs on vty and other lines to only allow access from your management network or management station. Control access to snmp access-list 98 permit 192.168.100.0 0.0.0.255 access-list 99 permit 192.168.100.1 ! snmp-server community READONLY RO 98 snmp-server community READWRITE RW 99 Secure routing protocol updates using ACLs Other ==== Cisco also recommend removing VLAN1 and not allow the use of a default VLAN. This VLAN is untagged and can be used to compromise a device at layer 2. On 8 March 2010 20:27, <mzcohen2682 () aim com> wrote:
HI ALL ! I have a task to harden a small organization router, today the have only the router and they dont use a FW. Im pasting here the config (not before changing the Ip's ) can someone recommend which commands to implement in order to harden the router? they use some VPN's and the admin configs the router throw telnet. another thing.. how I know if this IOS supports SSH? also in the endo of the access list they have a line saying: access-list 111 permit ip any any I think this is bad config right? thanks a lot all !! joe MARIO#sh run Building configuration... Current configuration : 4851 bytes ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service dhcp ! hostname mario ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 $1$3pD5$Nd5kRQonH.zmpZ3rzyn1G0 enable password 7 01119908410A0800 ! username martin password 7 011E090A4F041200 aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization network default none aaa session-id common ip subnet-zero ip cef no ip dhcp conflict logging ip dhcp excluded-address 192.168.8.1 192.168.8.100 ! ip dhcp pool pool1 network 192.168.8.0 255.255.255.0 default-router 192.168.8.2 dns-server 204.60.193.1 192.168.8.4 204.60.193.2 ! ! ip dhcp-server 192.168.8.2 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! no ftp-server write-enable ! ! ! ! ! ! ! interface Tunnel8 description Tunel israel Central ip unnumbered FastEthernet4 ip route-cache flow no ip mroute-cache tunnel source FastEthernet4 tunnel destination 195.77.213.228 ! interface Tunnel351 description Tunel sucursal Cordoba Argentina ip unnumbered FastEthernet4 ip route-cache flow no ip mroute-cache tunnel source FastEthernet4 tunnel destination 204.60.231.161 ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 ip address 227.68.72.193 255.255.255.252 ip access-group 110 in no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Virtual-Template1 ip unnumbered FastEthernet4 peer default ip address pool grupoIPclientePPTP no keepalive ppp authentication ms-chap ms-chap-v2 ! interface Vlan1 ip address 192.168.8.2 255.255.255.0 ip access-group 111 in ip nat inside ip virtual-reassembly ip route-cache flow ! ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50 ip default-gateway 204.68.72.194 ip classless ip route 0.0.0.0 0.0.0.0 204.60.72.194 ip route 192.168.0.0 255.255.0.0 Tunnel8 ip route 192.168.1.0 255.255.255.0 Tunnel8 ip route 192.168.5.0 255.255.255.0 Tunnel8 ip route 192.168.8.0 255.255.255.0 Vlan1 ip route 192.168.81.0 255.255.255.0 Tunnel351 ! no ip http server no ip http secure-server ip nat pool traduccion 204.60.72.193 204.60.72.193 netmask 255.255.255.252 ip nat inside source list 100 pool traduccion overload ip nat inside source static tcp 192.168.8.7 25 204.60.72.193 25 extendable ip nat inside source static tcp 192.168.8.7 80 204.60.72.193 80 extendable ip nat inside source static tcp 192.168.8.7 110 204.60.72.193 110 extendable ip nat inside source static tcp 192.168.8.7 143 204.60.72.193 143 extendable ip nat inside source static tcp 192.168.8.7 5900 204.60.72.193 6007 extendable ! access-list 100 permit ip 192.168.8.0 0.0.0.255 any access-list 110 permit ip 192.168.0.0 0.0.255.255 any access-list 110 permit ip 194.140.64.0 0.0.31.255 any access-list 110 permit ip host 62.97.66.136 any access-list 110 permit ip 192.0.0.0 0.255.255.255 any access-list 110 permit gre host 80.36.126.67 host 204.60.72.193 access-list 110 permit tcp any host 204.60.72.193 eq smtp access-list 110 permit tcp any host 204.60.72.193 eq 6024 access-list 110 permit tcp any host 204.60.72.193 eq 6050 access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp-data log access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp log access-list 110 permit tcp any host 192.168.8.4 eq domain access-list 110 permit udp any host 192.168.8.4 eq domain access-list 110 permit tcp any any eq 81 access-list 110 permit tcp any any eq www access-list 110 permit tcp any eq www any access-list 110 permit tcp any eq smtp any access-list 110 permit tcp any eq 443 any access-list 110 permit udp any eq domain any access-list 110 permit tcp any eq domain any access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet access-list 110 permit tcp 135.76.213.240 0.0.0.15 any eq telnet access-list 110 permit tcp host 80.44.216.45 any eq telnet access-list 110 permit tcp any any access-list 110 permit udp any any access-list 110 permit gre host 143.76.213.250 host 204.60.72.193 access-list 110 permit gre host 143.76.213.228 host 204.60.72.193 access-list 110 permit tcp any host 204.60.72.193 eq 6007 access-list 110 permit ip any any access-list 110 permit gre host 201.216.254.145 host 204.60.72.193 access-list 111 permit ip any any ! control-plane ! ! line con 0 no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 password 7 105C060C111200535B55 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end mARIO# ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Help hardening router mzcohen2682 (Mar 08)
- Re: Help hardening router David Goldsmith (Mar 09)
- Re: Help hardening router John Morrison (Mar 09)
- Re: Help hardening router Mike Hale (Mar 09)
- RE: Help hardening router Jatmoko, Arif (ID - Jakarta) (Mar 09)
- Re: Help hardening router Alex (Mar 09)
- Re: Help hardening router Curt Shaffer (Mar 09)
- Re: Help hardening router Dave LaDuke (Mar 10)
- Re: Help hardening router doug schmidt (Mar 10)
- RE: Help hardening router Michael Yelland (Mar 15)
- <Possible follow-ups>
- FW: Help hardening router Craig S. Wright (Mar 09)