Faisal Corner’z

Defend me, God, from myself

Cisco Security Basic

1. Control Access to your router

The first thing to do is apply some rules to restrict all external access to some ports of the router. You can block all ports, but it is not always necessary. These commands bellow will protect your router against some reconnaissance attacks and, obviously, will restrict access to these ports:

access-list 110 deny tcp any host $yourRouterIP eq 7

access-list 110 deny tcp any host $yourRouterIP eq 9

access-list 110 deny tcp any host $yourRouterIP eq 13

access-list 110 deny tcp any host $yourRouterIP eq 19

access-list 110 deny tcp any host $yourRouterIP eq 23

access-list 110 deny tcp any host $yourRouterIP eq 79

int x0/0 

access-group in 110

 

2. Restrict telnet access to it 

Telnet is not a very safe protocol to use, but if you really need to use it (you should always use ssh) you might want to restrict all access to it (remember that all your traffic will be unencrypted). The best way to accomplish that is using a standard access-list and the access-class command.

access-list 50 permit 192.168.1.1
access-list 50 deny any log line vty 0 4
access-class 50 in exec-timeout 5 0

 

3. Block Spoof/Malicious packets  

You must never allow loopback/reserved IP address from the Internet reach your external interface and you can reject broadcast and multicast addresses too.  

access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.0.255 any
access-list 111 deny ip 172.16.0.0 0.0.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any access-list
111 deny ip 224.0.0.0 31.255.255.255 any access-list
111 deny icmp any any redirect
int x0/0 access-
group in 111

 

4. Restrict SNMP
SNMP must always be restrict, unless you want some malicious person getting a lot of information from your

network
access-list 112 deny udp any any eq snmp

access-list 112 permit ip any any
interface x0/0
access-group 112 in

no snmp-server

 

5. Encrypt all passwords 
A very important thing to do is protect all your passwords using the powerful algorithm as possible. 
The password from exec mode, that grants privileged access to the IOS system,
Can be set using a MD5 hash, which is the strongest option available on the Cisco IOS. 

enable secret $yourpassword

 

All other passwords, you can encrypt using the Vigenere cipher that is not Very strong,
but can help. To do that, you can use the service password-encryption Command that encrypts all passwords present in you system.

service password-encryption

 

6. Disable Echo, Chargen and discard
no service tcp-small-servers no service udp-small-servers

 

7. Disable finger
no service finger

 

8. Disable the httpd interface
no ip http server

 

9. Disable ntp (if you are not using it)
ntp disable

 

10. Disable source routing
no ip source-route

 

11. Disable Proxy Arp
no ip proxy-arp

 

12. Disable ICMP redirectsinterface s0/0 (your external interface)
no ip redirects

 

13. Disable Multicast route Cachinginterface s0/0 (your external interface)
no ip mroute-cache

 

14. Disable CDP
no cdp run

 

15. Disable direct broadcast (protect against Smurf attacks)
no ip directed-broadcast

 

16. Log everything
logging trap debugging logging 192.168.1.10

 

(Original posted  by Daniel B Cid)

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements

November 6, 2008 - Posted by | cisco

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: