Unix Administration Firewall Intrusion Detection Network Security Hacking MORE HOME

CISCO Router Security

Management

Are you aware that you probably use an insecure protocol (TELNET) to administer your switches?
Did you at least set an ACL allowing only certain stations access to the switch?

Configuration

Private Ranges

Deny private ranges to enter your network (and leave it):

interface xx (outer/inner) access-group in 100 access-group out 100 access-list 100 deny ip host 0.0.0.0 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.0.0 0.15.255.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 deny ip 192.0.2.0 0.0.0.255 any access-list 100 deny ip 169.254.0.0 0.0.255.255 any access-list 100 deny ip 240.0.0.0 15.255.255.255 any access-list 100 permit ip any any

Prevent spoofing

Deny your internal addresses from coming from the outside!

Additionally enter reverse-path-filtering:

ip verify unicast reverse-path

or a "loose check":

ip verify unicast source reachable-via any

Per Interface Settings

interface xy no ip source-route no ip directed-broadcast no ip proxy-arp no ip redirects no ip unreachables no ip mask-reply no cdp enable

Rate Limits

If you are positive what you are doing, you can introduce rate-limits:

interface xy rate-limit input access-group 100 8000 8000 8000 \ conform-action transmit exceed-action drop rate-limit output access-group 100 8000 8000 8000 \ conform-action transmit exceed-action drop access-list 100 deny tcp any host x.x.x.x established access-list 100 permit tcp any host x.x.x.x access-list 101 permit icmp any any echo access-list 101 permit icmp any any echo-reply

Helpful Links

CISCO Security on Routers

CISCO Sample Config

Hardening Guide

CopyLeft (l) 2003 by Raffael Marty