Security Basics mailing list archives

Re: Help hardening router

From: Alex <alex.tsr () gmail com>
Date: Tue, 9 Mar 2010 08:56:31 +0200

On 8 March 2010 22:27,  <mzcohen2682 () aim com> wrote:

HI ALL !


Hi you

I have a task to harden a small organization router, today the have only the
router and they dont use a FW.

Im pasting here the config (not before changing the Ip's ) can someone
recommend which commands to implement in order to harden the router?


Take a look at the Cisco IOS benchmark from CIS [1]

they use some VPN's and the admin configs the router throw telnet. another
thing.. how I know if this IOS supports SSH?


type this

MARIO (config)#ip ssh?

does it show anything? [2]

also in the endo of the access list they have a line saying:

access-list 111 permit ip any any

I think this is bad config right?


Yes. You better change this access list with one that only allows the
traffic that you want and place a deny-all rule at the end. (You will
see this int the CIS benchmark as well)

But that's the access list that's applied to your internal network
going out. You also have an access-list that seems to be applied to
the internet traffic going in (access-list 110). First of all, I'd
recommend to use reflexive access lists[3] (if supported by your IOS)
wich will make your life easier and give you the ability to allow only
the return traffic and not all possible traffic. If you can't use
reflexive access lists, I'd suggest some serious cleaning up to be
done to that access list.



[1]  http://cisecurity.org/en-us/?route=downloads.show.single.ios.220
[2] http://www.cisco.com/application/pdf/paws/4145/ssh.pdf
[3] http://www.cisco.com/application/pdf/paws/23602/confaccesslists.pdf


-- 
Cheers, Alex.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Help hardening router mzcohen2682 (Mar 08)
- Re: Help hardening router David Goldsmith (Mar 09)
- Re: Help hardening router John Morrison (Mar 09)
  - Re: Help hardening router Mike Hale (Mar 09)
- RE: Help hardening router Jatmoko, Arif (ID - Jakarta) (Mar 09)
- Re: Help hardening router Alex (Mar 09)
- Re: Help hardening router Curt Shaffer (Mar 09)
  - Re: Help hardening router Dave LaDuke (Mar 10)
- Re: Help hardening router doug schmidt (Mar 10)
  - RE: Help hardening router Michael Yelland (Mar 15)
- <Possible follow-ups>
- FW: Help hardening router Craig S. Wright (Mar 09)