Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help hardening router

From: John Morrison <john.morrison101 () googlemail com>
Date: Tue, 9 Mar 2010 14:43:38 +0000
Joe,

To protect, or secure, the router there are a few basics. These boil down to:
   Install the latest IOS updates
   Only run required services and disable all others
   Allow only authenticated and encrypted access to the router
   Use ACLs to control remote access to the router

See
   http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml


Latest IOS Update
==============
Download and installed the latest IOS for your device.
Check the Cisco site for any minor updates and apply those if they are
relevant to your environment. For example, if you don't have an ISDN
interface you don't fixes that are specific to that interface model.

You can check information about your IOS revision here:
   http://www.cisco.com/cisco/web/psa/troubleshoot.html



Required Service
==============
Use no service, etc. to stop services.
If you have an IOS revision of 12.0 or later many services (e.g. small
udp and small tcp) are disabled by default.

I notice you have stopped the DHCP service, but also have DHCP
configured. Did you want to do this?

Use the most secure version of a protocol. For example, SNMPv3, sftp, etc.


Authenticated and Encrypted Access
============================
Encrypt passwords as type 7 (using enable secret, service
password-encryption, etc.)

Use local or TACACS+ for greater control of authentication. For
example, aaa local authentication attempts max-fail <max-attempts>

Only allow access with encrypted connections, such as sftp, https,
ssh, etc. Disable and block access with unencrypted protocols, e.g.
ftp, http, telnet, etc.
line vty 0 4
 transport input ssh

line aux 0
 transport input none
 transport output none
 no exec
 exec-timeout 0 1
 no password

Use secure names for SNMP community strings and if you can use SNMPv3
and its greater levels of security.


Use ACLs to Control Remote Access to Router
====================================
Use ACLs to block insecure protocols, such as, ftp, http, telnet, etc.

Use ACLs to only allow access from your management addresses.

Block all management traffic on interfaces to untrusted networks. Use
ACLs on vty and other lines to only allow access from your management
network or management station.

Control access to snmp
access-list 98 permit 192.168.100.0 0.0.0.255
access-list 99 permit 192.168.100.1
!
snmp-server community READONLY RO 98
snmp-server community READWRITE RW 99

Secure routing protocol updates using ACLs


Other
====
Cisco also recommend removing VLAN1 and not allow the use of a default
VLAN. This VLAN is untagged and can be used to compromise a device at
layer 2.

On 8 March 2010 20:27,  <mzcohen2682 () aim com> wrote:

HI ALL !

I have a task to harden a small organization router, today the have only the
router and they dont use a FW.

Im pasting here the config (not before changing the Ip's ) can someone
recommend which commands to implement in order to harden the router?

they use some VPN's and the admin configs the router throw telnet. another
thing.. how I know if this IOS supports SSH?

also in the endo of the access list they have a line saying:

access-list 111 permit ip any any

I think this is bad config right?

thanks a lot all !!

joe

MARIO#sh run
Building configuration...

Current configuration : 4851 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname mario
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$3pD5$Nd5kRQonH.zmpZ3rzyn1G0
enable password 7 01119908410A0800
!
username martin password 7 011E090A4F041200
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default none
aaa session-id common
ip subnet-zero
ip cef
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.8.1 192.168.8.100
!
ip dhcp pool pool1
 network 192.168.8.0 255.255.255.0
 default-router 192.168.8.2
 dns-server 204.60.193.1 192.168.8.4 204.60.193.2
!
!
ip dhcp-server 192.168.8.2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
 protocol pptp
 virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface Tunnel8
description Tunel israel Central
ip unnumbered FastEthernet4
ip route-cache flow
no ip mroute-cache
tunnel source FastEthernet4
tunnel destination 195.77.213.228
!
interface Tunnel351
description Tunel sucursal Cordoba Argentina
ip unnumbered FastEthernet4
ip route-cache flow
no ip mroute-cache
tunnel source FastEthernet4
tunnel destination 204.60.231.161
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 227.68.72.193 255.255.255.252
ip access-group 110 in
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet4
peer default ip address pool grupoIPclientePPTP
no keepalive
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
ip address 192.168.8.2 255.255.255.0
ip access-group 111 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50
ip default-gateway 204.68.72.194
ip classless
ip route 0.0.0.0 0.0.0.0 204.60.72.194
ip route 192.168.0.0 255.255.0.0 Tunnel8
ip route 192.168.1.0 255.255.255.0 Tunnel8
ip route 192.168.5.0 255.255.255.0 Tunnel8
ip route 192.168.8.0 255.255.255.0 Vlan1
ip route 192.168.81.0 255.255.255.0 Tunnel351
!
no ip http server
no ip http secure-server
ip nat pool traduccion 204.60.72.193 204.60.72.193 netmask 255.255.255.252
ip nat inside source list 100 pool traduccion overload
ip nat inside source static tcp 192.168.8.7 25 204.60.72.193 25 extendable
ip nat inside source static tcp 192.168.8.7 80 204.60.72.193 80 extendable
ip nat inside source static tcp 192.168.8.7 110 204.60.72.193 110 extendable
ip nat inside source static tcp 192.168.8.7 143 204.60.72.193 143 extendable
ip nat inside source static tcp 192.168.8.7 5900 204.60.72.193 6007
extendable
!
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 194.140.64.0 0.0.31.255 any
access-list 110 permit ip host 62.97.66.136 any
access-list 110 permit ip 192.0.0.0 0.255.255.255 any
access-list 110 permit gre host 80.36.126.67 host 204.60.72.193
access-list 110 permit tcp any host 204.60.72.193 eq smtp
access-list 110 permit tcp any host 204.60.72.193 eq 6024
access-list 110 permit tcp any host 204.60.72.193 eq 6050
access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp-data log
access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp log
access-list 110 permit tcp any host 192.168.8.4 eq domain
access-list 110 permit udp any host 192.168.8.4 eq domain
access-list 110 permit tcp any any eq 81
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any eq www any
access-list 110 permit tcp any eq smtp any
access-list 110 permit tcp any eq 443 any
access-list 110 permit udp any eq domain any
access-list 110 permit tcp any eq domain any
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 135.76.213.240 0.0.0.15 any eq telnet
access-list 110 permit tcp host 80.44.216.45 any eq telnet
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit gre host 143.76.213.250 host 204.60.72.193
access-list 110 permit gre host 143.76.213.228 host 204.60.72.193
access-list 110 permit tcp any host 204.60.72.193 eq 6007
access-list 110 permit ip any any
access-list 110 permit gre host 201.216.254.145 host 204.60.72.193
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
password 7 105C060C111200535B55
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end

mARIO#


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: