some important general principles for maintaining good router security.
1. Create and maintain a written router security policy. The policy
should identify who is allowed to log in to the router, who is allowed
to configure and update it, and should outline the logging and
management practices
2. Have offline master copies of your router configuration files!
3. Implement access control lists (ACL) that allow only those protocols, ports and IP addresses that deny everything else
MyRouter(config)# no access-list 49
MyRouter(config)# access-list 49 permit host <IP address of host>
MyRouter(config)# access-list 49deny any log
General best practice rules:
MyRouter(config)# no access-list 107
MyRouter(config)# ! block our internal addresses on External Interfaces
MyRouter(config)# access-list 107 deny ip
<intrernal ip Network1> <Internal Subnet mask> any log
MyRouter(config)# access-list 107 deny ip
<intrernal ip Network2> <Internal Subnet mask> any log
MyRouter(config)# ! block special/reserved addresses
MyRouter(config)# access-list 107 deny ip
127.0.0.0 0.255.255.255 any log
MyRouter(config)# access-list 107 deny ip
0.0.0.0 0.255.255.255 any log
MyRouter(config)# access-list 107 deny ip
10.0.0.0 0.255.255.255 any log
MyRouter(config)# access-list 107 deny ip
169.168.0 0.255.255 any log
MyRouter(config)# access-list 107 deny ip
172.16.0.0 0.15.255.255 any log
MyRouter(config)# access-list 107 deny ip
192.168.0.0 0.0.255.255 any log
MyRouter(config)# ! block multicast (if not used)
MyRouter(config)# access-list 107 deny ip
224.0.0.0 15.255.255.255 any
MyRouter(config)# ! block some ICMP message types
MyRouter(config)# access-list 107 deny icmp
any any redirect log
MyRouter(config)# access-list 107 deny icmp
any any echo log
MyRouter(config)# access-list 107 deny icmp
any any mask-request log
MyRouter(config)# access-list 107 permit ip
any <internal Network 1> 0.0.255.255
MyRouter(config)# access-list 107 permit ip
Any <internal Network 2> 0.0.255.255
MyRouter(config)# interface Eth 0/0
MyRouter(config-if)# description External interface
MyRouter(config-if)# ip access-group 107 in
4. Block incoming packets that claim to have the same destination and
source address (i.e. a æLandÆ attack on the router itself).
access-list 102 deny ip host <ipaddress3>
host <ipaddress3>log
interface Eth 0/1
ip address <ipaddress3> 255.255.0.0
ip access-group 102 in
5. Configure an access list for the virtual terminal lines to control Telnet
access.
MyRouter(config)# line vty 0 4
MyRouter(config-line)# access-class 92 in
6. Turn on the routerÆs logging capability, and use it to log errors and
blocked packets to an internal (trusted) syslog host. Make sure that the
router blocks syslog traffic from untrusted networks.
7. Configure the router to include time information in the logging.
MyRouter(config)# service timestamps log datetime
localtime show-timezone msec
MyRouter(config)# clock timezone GMT 0
MyRouter(config)# ntp server <ntp server1>
MyRouter(config)# ntp server <ntp server2>
3. If your network requires SNMP, then configure an SNMP ACL and
hard-to-guess SNMP community strings.
MyRouter(config)# no snmp community public ro
MyRouter(config)# no snmp community private rw
MyRouter(config)# no access-list 51
MyRouter(config)# access-list 51 permit < authorised snmp requester>
MyRouter(config)# snmp community neither+never ro 51
On a border router, allow only internal addresses to enter the router from the
internal interfaces, and allow only traffic destined for internal
addresses to enter the router from the outside (external interfaces).
Block illegal addresses at the outgoing interfaces. Besides preventing
an attacker from using the router to attack other sites, it helps identify
poorly configured internal hosts or networks
MyRouter(config)# no access-list 101
MyRouter(config)# access-list 101 permit ip
<internal Network> 0.0.0.255 any
MyRouter(config)# access-list 101 deny ip any any log
MyRouter(config)# no access-list 102
MyRouter(config)# access-list 102 permit ip
any <internal Network> 0.0.0.255
MyRouter(config)# access-list 102 deny ip any any log
MyRouter(config)# interface eth 1
MyRouter(config-if)# ip access-group 101 in
MyRouter(config-if)# exit
MyRouter(config)# interface eth 0
MyRouter(config-if)# ip access-group 101 out
MyRouter(config-if)# ip access-group 102 in
4. Shut down unneeded services on the router.
Small services (echo, discard, chargen, etc.)
- no service tcp-small-servers
- no service udp-small-servers
BOOTP - no ip bootp server
Finger - no service finger
HTTP - no ip http server
SNMP - no snmp-server
5. Shut down unneeded services on the routers. These services allow
certain packets to pass through the router, or send special packets, or
are used for remote router configuration.
CDP - no cdp run
Remote config. - no service config
Source routing - no ip source-route
6. Secure the all the interfaces in turn on the router
Unused interfaces û shutdown
No Smurf attacks - no ip directed-broadcast
Mask replies - no ip mask-reply
Ad-hoc routing - no ip proxy-arp
7. Secure the console line, auxiliary line and the virtual terminal lines on
the router
Console Line - line con 0
exec-timeout 5 0
login
Auxiliary Line - line aux 0
no exec
exec-timeout 0 10
transport input none
VTY lines - line vty 0 4
exec-timeout 5 0
login
transport input telnet ssh
8. Use more secure passwords
Enable Secret password, is protected with an MD5-based algorithm. Also, the configure passwords for the console line, the
auxiliary line and the virtual terminal lines. Provide basic protection
service passwordencryption
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.