Security Basics mailing list archives
Re: Help hardening router
From: Alex <alex.tsr () gmail com>
Date: Tue, 9 Mar 2010 08:56:31 +0200
On 8 March 2010 22:27, <mzcohen2682 () aim com> wrote:
HI ALL !
Hi you
I have a task to harden a small organization router, today the have only the router and they dont use a FW. Im pasting here the config (not before changing the Ip's ) can someone recommend which commands to implement in order to harden the router?
Take a look at the Cisco IOS benchmark from CIS [1]
they use some VPN's and the admin configs the router throw telnet. another thing.. how I know if this IOS supports SSH?
type this MARIO (config)#ip ssh? does it show anything? [2]
also in the endo of the access list they have a line saying: access-list 111 permit ip any any I think this is bad config right?
Yes. You better change this access list with one that only allows the traffic that you want and place a deny-all rule at the end. (You will see this int the CIS benchmark as well) But that's the access list that's applied to your internal network going out. You also have an access-list that seems to be applied to the internet traffic going in (access-list 110). First of all, I'd recommend to use reflexive access lists[3] (if supported by your IOS) wich will make your life easier and give you the ability to allow only the return traffic and not all possible traffic. If you can't use reflexive access lists, I'd suggest some serious cleaning up to be done to that access list. [1] http://cisecurity.org/en-us/?route=downloads.show.single.ios.220 [2] http://www.cisco.com/application/pdf/paws/4145/ssh.pdf [3] http://www.cisco.com/application/pdf/paws/23602/confaccesslists.pdf -- Cheers, Alex. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Help hardening router mzcohen2682 (Mar 08)
- Re: Help hardening router David Goldsmith (Mar 09)
- Re: Help hardening router John Morrison (Mar 09)
- Re: Help hardening router Mike Hale (Mar 09)
- RE: Help hardening router Jatmoko, Arif (ID - Jakarta) (Mar 09)
- Re: Help hardening router Alex (Mar 09)
- Re: Help hardening router Curt Shaffer (Mar 09)
- Re: Help hardening router Dave LaDuke (Mar 10)
- Re: Help hardening router doug schmidt (Mar 10)
- RE: Help hardening router Michael Yelland (Mar 15)
- <Possible follow-ups>
- FW: Help hardening router Craig S. Wright (Mar 09)