Eight Steps to Protect Your Cisco Router

-





Network security is a completely changing area; new devices like IDS (Intrusion Detection systems), IPS (Intrusion Prevention systems), and Honeypots are modifying the way people think about security. Companies are spending thousands of dollars on new security devices, but forgetting the basic, the first line of defense: the border router.
Although a lot of people may think that routers don’t need to be protected, they are completely wrong. A lot of secure problems appear all time against this kind of device and most of them are vulnerable.
There are 8 steps, easy to follow, to minimize your Cisco router exposure by turning off some unused services, applying some access control and applying some security options available on that.

1- Control Access to your router

The first thing to do is apply some rules to restrict all external access to some ports of the router. You can block all ports, but it is not always necessary. These commands bellow will protect your router against some reconnaissance attacks and, obviously, will restrict access to these ports:
access-list 110 deny tcp any host $yourRouterIP eq 7
access-list 110 deny tcp any host $yourRouterIP eq 9
access-list 110 deny tcp any host $yourRouterIP eq 13
access-list 110 deny tcp any host $yourRouterIP eq 19
access-list 110 deny tcp any host $yourRouterIP eq 23
access-list 110 deny tcp any host $yourRouterIP eq 79
int x0/0
access-group in 110
Where $your router IP is your router IP and x0/0 is your external interface. We will always use this convention in this article.


2- Restrict telnet access to it

Telnet is not a very safe protocol to use, but if you really need to use it (you should always use ssh) you might want to restrict all access to it (remember that all your traffic will be unencrypted). The best way to accomplish that is using a standard access-list and the access-class command.
access-list 50 permit 192.168.1.1
access-list 50 deny any log
line vty 0 4
access-class 50 in
exec-timeout 5 0
Where 192.168.1.1 is the IP address allowed to telnet the router

3- Block Spoof/Malicious packets

You must never allow loopback/reserved IP address from the Internet reach your external
interface and you can reject broadcast and multicast addresses too.
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip 172.16.0.0 0.0.255.255 a
access-list 111 deny ip 10.0.0.0 0.255.255.255 a
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip 224.0.0.0 31.255.255.255
access-list 111 deny icmp any any redirect
int x0/0
access-group in 111

4- Restrict SNMP

SNMP must always be restrict, unless you want some malicious person getting a lot of information from your network
access-list 112 deny udp any any eq snmp
access-list 112 permit ip any any
interface x0/0
access-group 112 in
And if you are not going to use SNMP at all, disable it:
no snmp-server

5- Encrypt all passwords

A very important thing to do is protect all your passwords using the powerful algorithm as possible. The password from exec mode, that grants privileged access to the IOS system, can be set using a MD5 hash, which is the strongest option available on the Cisco IOS.
Enable secret $your password
All other passwords, you can encrypt using the Vigenere cipher that is not very strong, but can help. To do that, you can use the service password-encryption command that encrypts all passwords present in you system.
Service password-encryption


6- Disable all unused services

6.1 – Disable Echo, Chargen and discard
no service tcp-small-servers
no service udp-small-servers
6.2 – Disable finger
no service finger
6.3 – Disable the httpd interface
no ip http server
6.4 – Disable ntp (if you are not using it)
ntp disable

7- Add some security options

7.1 – Disable source routing
no ip source-route
7.2 – Disable Proxy Arp
no ip proxy-arp
7.3 – Disable ICMP redirects
interface s0/0 (your external interface)
no ip redirects
7.4 – Disable Multicast route Caching
interface s0/0 (your external interface)
no ip mroute-cache
7.5 – Disable CDP
no cdp run
7.6 – Disable direct broadcast (protect against Smurf attacks)
no ip directed-broadcast

8- Log everything

To finish, you must log everything on an outside Log Server. You must everything from all your systems and always analyze the logs.
logging trap debugging
logging 192.168.1.10
where 192.168.1.10 is the ip of your log server (configured as a Syslog server)

Comments

Post a Comment

Popular posts from this blog

7 Popular Layer 2 Attacks

-
Image
A large number of common threats need to be considered when securing a network, but a frequently overlooked area is the security of the LAN. When people think about security, often they’re thinking specifically of the layers above Layer 2, but there’s no reason to limit a security plan to these upper layers.  A good security plan should account for  all  layers, from Layer 1 through Layer 7.   Here we are discussing about some of the most common Layer 2 attacks and how they operate. 1. Spanning Tree Protocol (STP) Attacks The Spanning Tree Protocol (STP) is used on LAN-switched networks. Its primary function is removing potential loops within the network. Without STP, Layer 2 LANs simply would stop functioning, because the loops created within the network would flood the switches with traffic. The optimized operation and configuration of STP ensures that the LAN remains stable and that traffic takes the most optimized path through the network.  If an att
Read more

CCNA Latest Dumps Part 3

-
Image
QUESTION 21 Refer to the exhibit. The two connected ports on the switch are not turning orange or green. What would be the most effective steps to troubleshoot this physical layer problem? (Choose three.) A. Ensure that the Ethernet encapsulations match on the interconnected router and switch ports. B. Ensure that cables A and B are straight-through cables. C. Ensure cable A is plugged into a trunk port. D. Ensure the switch has power. E. Reboot all of the devices. F. Reseat all cables. Correct Answer: BDF QUESTION 22  A network administrator is troubleshooting the OSPF configuration of routers R1 and R2. The routers cannot establish an adjacency relationship on their common Ethernet link The graphic shows the output of the show ip ospf interface e0 command for routers R1 and R2. Based on the information in the graphic, what is the cause of this problem? A. The OSPF area is not configured properly. B. The priority on R1 sho
Read more

Nine Switch Commands Every Cisco Network Engineer Needs to Know

-
Image
1. hostname Syntax:   hostname   hostname One of the most basic network commands,  hostname  configures the hostname used for a device. This hostname identifies the device to other locally connected devices for protocols such as the Cisco Discovery Protocol (CDP), which helps in the identification of devices attached directly to the network. Although it is not case-sensitive, the hostname must follow certain rules: It must begin with a letter and end in a letter or digit, and interior characters must be letters, digits, or hyphens (-). 2. ip default-gateway Syntax:   ip default-gateway  gateway The  ip default-gateway  command configures the default gateway for a switch when IP routing is  not  enabled (with the  ip routing  global configuration command), which is typical when lower-level Layer 2 switches are being configured. The easiest way to determine whether IP routing has been enabled is to run the  show ip route  command. When IP routing has not bee
Read more