uglygrouch
asked on
Securing our Router
Hi gang!
We're working on securing a router and frankly we have'nt the slightest business doing this, but
when you're small you do what you have to :)
Ok, we're working with our Cisco 1720 and we're using defaults on most things.
Below you'll find our config currently:
<begin snip>
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname hostname-gw
!
logging buffered 4096 debugging
enable password somepassword
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip domain-name customer.com
ip name-server 'nameserver'
ip name-server 'nameserver'
!
isdn switch-type basic-ni
!
!
!
interface Serial0
description The World
bandwidth 1544
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address ourIP ourSub
frame-relay interface-dlci 100
!
interface BRI0
bandwidth 256
ip unnumbered FastEthernet0
encapsulation ppp
shutdown
dialer rotary-group 1
isdn switch-type basic-ni
isdn spid1 somenumber
isdn spid2 somenumber
!
interface FastEthernet0
description To Office FastEthernet
ip address otherIP otherSUB secondary
ip address ourIP ourSUB
speed auto
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer string 1234567890
dialer string somenumber
dialer hold-queue 10
dialer load-threshold 179 either
dialer-group 1
ppp authentication chap callin
ppp chap hostname somehostname
ppp chap password 7 somepassword
ppp multilink
!
ip nat translation tcp-timeout 600
ip classless
ip route 0.0.0.0 0.0.0.0 someIP
ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
password somepassword
login
transport preferred none
transport input none
stopbits 1
line aux 0
password somepassword
login
modem InOut
transport preferred none
!
line con 0
password somepassword
login
transport preferred none
transport input none
stopbits 1
line aux 0
password somepassword
login
modem InOut
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
password somepassword
login
transport preferred none
!
no scheduler allocate
end
</end snip>
As you see, we've got info for a dialer, which isnt used.
And never will be. If we will get better service without it's
config we're fine with removing it.
Also, everything is pretty much default except for the IP's and whatnot
and passwords. We dont have any specific blocks for say DoS attacks
and whatnot.
We'd like to be able to say our router is pretty secure so we can
rest at night.
Any help would be appreciated,
UG
We're working on securing a router and frankly we have'nt the slightest business doing this, but
when you're small you do what you have to :)
Ok, we're working with our Cisco 1720 and we're using defaults on most things.
Below you'll find our config currently:
<begin snip>
Current configuration:
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname hostname-gw
!
logging buffered 4096 debugging
enable password somepassword
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip domain-name customer.com
ip name-server 'nameserver'
ip name-server 'nameserver'
!
isdn switch-type basic-ni
!
!
!
interface Serial0
description The World
bandwidth 1544
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
ip address ourIP ourSub
frame-relay interface-dlci 100
!
interface BRI0
bandwidth 256
ip unnumbered FastEthernet0
encapsulation ppp
shutdown
dialer rotary-group 1
isdn switch-type basic-ni
isdn spid1 somenumber
isdn spid2 somenumber
!
interface FastEthernet0
description To Office FastEthernet
ip address otherIP otherSUB secondary
ip address ourIP ourSUB
speed auto
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer in-band
dialer idle-timeout 300
dialer string 1234567890
dialer string somenumber
dialer hold-queue 10
dialer load-threshold 179 either
dialer-group 1
ppp authentication chap callin
ppp chap hostname somehostname
ppp chap password 7 somepassword
ppp multilink
!
ip nat translation tcp-timeout 600
ip classless
ip route 0.0.0.0 0.0.0.0 someIP
ip http server
!
dialer-list 1 protocol ip permit
!
line con 0
password somepassword
login
transport preferred none
transport input none
stopbits 1
line aux 0
password somepassword
login
modem InOut
transport preferred none
!
line con 0
password somepassword
login
transport preferred none
transport input none
stopbits 1
line aux 0
password somepassword
login
modem InOut
transport preferred none
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
password somepassword
login
transport preferred none
!
no scheduler allocate
end
</end snip>
As you see, we've got info for a dialer, which isnt used.
And never will be. If we will get better service without it's
config we're fine with removing it.
Also, everything is pretty much default except for the IP's and whatnot
and passwords. We dont have any specific blocks for say DoS attacks
and whatnot.
We'd like to be able to say our router is pretty secure so we can
rest at night.
Any help would be appreciated,
UG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sorry in your serial's sub-interface is a better place to put
IP access-group 105 in
and BTW you could get rid of the dialer interface and other un needed configuration items... They are certainly not hurting anything it would just clean up the configuration....
Thanks
Scott
IP access-group 105 in
and BTW you could get rid of the dialer interface and other un needed configuration items... They are certainly not hurting anything it would just clean up the configuration....
Thanks
Scott
Also, run the following command to encrypt the enable password within the configuration:
service password-encryption
service password-encryption
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Greenclock, which tool did you use, please?
Output Interpreter - You need to have a Registered CCO account with cisco to be able to access it. Sorry...
GC
GC
I have one, that's why I asked. Thanks. :-)
Shouldn't be any probs them. Just cut'n'Paste the config in and it will display the results. Even able to email it to someone else if need be.
Very good for a quick diagnosis. A must for anyone supporting Cisco Kit.
GC
Very good for a quick diagnosis. A must for anyone supporting Cisco Kit.
GC
Any updates for us? Are you still working on this? Do you need more information?
Access-list 10 permit 192.168.1.0 0.0.0.255
Then in the line vty 0 4
access-class 10 in
that is assuming that your local network you manage the box from will be 192.168.1.0/24 and you can add any addtional information to that...