!!Port 80 Question!! 1

[Abernut]

I had to enable port 80 on my 2800 so I could use my nice, pretty, SDM software.

ip http server
ip http authentication local


My question is....Do I need to do anything to secure that connection(ie access list..)

Our old IT says that I am stupid for enabling it because of security reasons. But.....He is also the one that suggest I use telnet. From everything I read, telnet itself is very unsecure.

Any help would be greatly appriciated.

Thanks
Chip

 

[burtsbees]

ip http secure-server
username blabla priv 15 sercret bambam

This enables ssl, and there is a check box in the sdm window that says something to the effect of...
"I have https enabled, and I want to use it"
Telnet to the thing, eh?lol
Yes, telnet passes all info in clear text, non-encrypted---throw a sniffer on the line, and ask your IT guy how secure it is when Ethereal shows username and passwords.

Burt

 

[CiscoRC]

Be aware, there's a new version of SDM, v2.4. It might not be to greatly big of a deal, but as we IT. or any other likes to stay on top of the new releases.

Peace

***************
R. Corrigan Jr.
Network+, (working on CCENT+CCNA)

 

[Abernut]

Thanks Burt.
I have allready downloaded and using the 2.4 version but......I have allready tried

ip http secure-server.

But it does not work, I think the reply was something like.

error at ip http se

I think this is because I am not using an IPSec IOS image. If that makes any sense.

When I type the command "enable#(config)ip http ?"

there is no "secure" only "server" and "local" I believe.
Any other sugestions.

Thank you for your help and quick responce.

 

[ADB100]

I tend to agree with your IT tech....... However use SSH instead of Telnet to secure it. The WEB interface and SDM are OK to start with but they contain vulnerabilities that ideally you should switch off (i.e. no http server and no http secure-server).

Cisco's attempt to get the masses configuring IOS is SDM; however when it goes wrong you end up getting the 'real' people involved. Personally I think SDM is a bad idea since it allows people with absolutely no Cisco knowledge to configure (and usually break) routers.

If you want to use it then fine, however you should secure it using SSL and lock down who can access it using access-classes (ip http access-class).

You need a crypto capable IOS version to use SSH or SSL (ip http secure-server).

Learn the CLI.....

HTH

Andy

 

[Abernut]

Thanks Andy.

I thought about creating an ACL but was a little confused on how to do it. The reason is...Sometimes I might need to access the router from home, where I use the local internet provider(COMCAST). I have a wireless router which assigns some default class C address to my laptop. In this case would I use the IP on the WAN side of my wireless.
Other times I may be on the road using my Verizon card, in which case I'm pulling a completely different IP.

Is the crypto capable IOS version something that I can upgrade my 2800 to, or is it something I need to purchase.

Thanks again for your quick response and help.

Mike

P.S. I'm in the process of learning the CLI. But it looks like a long weary road.

 

[Abernut]

Figured out the IOS...I need the Crypto version CD28N-ASK9, it retails for about $730.00. If I am understanding correctly, that will allow me to lock down port 80.

 

[ADB100]

No, it will allow you to enable Crypton features - i.e. SSH and HTTPS (port 443 by default). It will also allow you to configure VPN which is probably what you want to be looking at. Your suggestion of accessing the router from home via SDM or the WEB interface is a BAD idea, don't even consider this an option. Even if you just enabled SSH or HTTPS then leaving this open to the Internet is just asking for trouble. I have NetFlow configured on my internet facing router and the statistics that it generates are frightening; I am continually being hit by hackers, whether they be real users or Zombie machines.
If you did enable access via the Internet I think it would only take a few days before your router was hacked.

HTH

Andy

 

[burtsbees]

People are port scanning all the time. I had some kid from the University of (begins with an "R") in China try to brute force my ANONYMOUS FTP server. Either he was too stupid to realize he did not need a password, or he wanted admin rights to be able to upload trojans.

Burt