We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Securing our Router

uglygrouch
uglygrouch asked
on
Medium Priority
535 Views
Last Modified: 2009-10-17
Hi gang!

We're working on securing a router and frankly we have'nt the slightest business doing this, but
when you're small you do what you have to :)

Ok, we're working with our Cisco 1720 and we're using defaults on most things.
Below you'll find our config currently:

<begin snip>
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname hostname-gw
!
logging buffered 4096 debugging
enable password somepassword
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip domain-name customer.com
ip name-server 'nameserver'
ip name-server 'nameserver'
!
isdn switch-type basic-ni
!
!
!
interface Serial0
 description The World
 bandwidth 1544
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address ourIP ourSub
 frame-relay interface-dlci 100
!
interface BRI0
 bandwidth 256
 ip unnumbered FastEthernet0
 encapsulation ppp
 shutdown
 dialer rotary-group 1
 isdn switch-type basic-ni
 isdn spid1 somenumber
 isdn spid2 somenumber
!
interface FastEthernet0
 description To Office FastEthernet
 ip address otherIP otherSUB secondary
 ip address ourIP ourSUB
 speed auto
!
interface Dialer1
 ip address negotiated
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 300
 dialer string 1234567890
 dialer string somenumber
 dialer hold-queue 10
 dialer load-threshold 179 either
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname somehostname
 ppp chap password 7 somepassword
 ppp multilink
!
ip nat translation tcp-timeout 600
ip classless
ip route 0.0.0.0 0.0.0.0 someIP
ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
 password somepassword
 login
 transport preferred none
 transport input none
 stopbits 1
line aux 0
 password somepassword
 login
 modem InOut
 transport preferred none
!
line con 0
 password somepassword
 login
 transport preferred none
 transport input none
 stopbits 1
line aux 0
 password somepassword
 login
 modem InOut
 transport preferred none
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password somepassword
 login
 transport preferred none
!
no scheduler allocate
end

</end snip>

As you see, we've got info for a dialer, which isnt used.
And never will be. If we will get better service without it's
config we're fine with removing it.

Also, everything is pretty much default except for the IP's and whatnot
and passwords. We dont have any specific blocks for say DoS attacks
and whatnot.
We'd like to be able to say our router is pretty secure so we can
rest at night.

Any help would be appreciated,

UG
Comment
Watch Question

One of the easiest things to do is controll who has access to you router via telnet...so you would do the following

Access-list 10 permit 192.168.1.0 0.0.0.255

Then in the line vty 0 4

access-class 10 in

that is assuming that your local network you manage the box from will be 192.168.1.0/24 and you can add any addtional information to that...
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
sorry in your serial's sub-interface is a better place to put

IP access-group 105 in

and BTW you could get rid of the dialer interface and other un needed configuration items... They are certainly not hurting anything it would just clean up the configuration....

Thanks
Scott
Also, run the following command to encrypt the enable password within the configuration:

service password-encryption
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Greenclock, which tool did you use, please?
Output Interpreter - You need to have a Registered CCO account with cisco to be able to access it. Sorry...

GC  
I have one, that's why I asked.  Thanks.  :-)
Shouldn't be any probs them.  Just cut'n'Paste the config in and it will display the results.  Even able to email it to someone else if need be.

Very good for a quick diagnosis.  A must for anyone supporting Cisco Kit.

GC
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Any updates for us? Are you still working on this? Do you need more information?
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.