Security Basics mailing list archives

FW: Help hardening router

From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Tue, 9 Mar 2010 12:36:19 +1100
ARGGG!
Always obscure the details.

It is clear you are not experienced with Cisco security. As such, I would
start with an automated tool such as the router audit tool (RAT) and Nipper.

You get these from the following sites respectively:
        Centre for Internet Security (CIS) website 
                http://www.cisecurity.org/bench_cisco.html.
        Nipper, (Network Infrastructure Parser) 
        
http://sourceforge.net/project/showfiles.php?group_id=191582&package_id=2260
95&release_id=580416 

Nipper was previously known as CiscoParse.

Also see
http://www.iso27001security.com/ISO27k_router_security_audit_checklist.rtf


The "Router Checklist Procedure Guide -- Supplement to the Network
Infrastructure Checklist" that is available from
http://csrc.nist.gov/checklists/repository/1059.html, which is maintained by
NIST and DISA; with the NSA (http://www.nsa.gov/snac/downloads_all.cfm)
checklists together make a comprehensive combination. The CIS standards
(http://www.cisecurity.org/bench_cisco.html) are also effective and are
aligned with the RAT tool.

Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of mzcohen2682 () aim com
Sent: Tuesday, 9 March 2010 7:27 AM
To: security-basics () securityfocus com
Subject: Help hardening router

HI ALL !

I have a task to harden a small organization router, today the have 
only the router and they dont use a FW.

Im pasting here the config (not before changing the Ip's ) can someone 
recommend which commands to implement in order to harden the router?

they use some VPN's and the admin configs the router throw telnet. 
another thing.. how I know if this IOS supports SSH?

also in the endo of the access list they have a line saying:

access-list 111 permit ip any any

I think this is bad config right?

thanks a lot all !!

joe

MARIO#sh run
Building configuration...

Current configuration : 4851 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname mario
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$3pD5$Nd5kRQonH.zmpZ3rzyn1G0
enable password 7 01119908410A0800
!
username martin password 7 011E090A4F041200
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization network default none
aaa session-id common
ip subnet-zero
ip cef
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.8.1 192.168.8.100
!
ip dhcp pool pool1
   network 192.168.8.0 255.255.255.0
   default-router 192.168.8.2
   dns-server 204.60.193.1 192.168.8.4 204.60.193.2
!
!
ip dhcp-server 192.168.8.2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface Tunnel8
 description Tunel israel Central
 ip unnumbered FastEthernet4
 ip route-cache flow
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 195.77.213.228
!
interface Tunnel351
 description Tunel sucursal Cordoba Argentina
 ip unnumbered FastEthernet4
 ip route-cache flow
 no ip mroute-cache
 tunnel source FastEthernet4
 tunnel destination 204.60.231.161
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 227.68.72.193 255.255.255.252
 ip access-group 110 in
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered FastEthernet4
 peer default ip address pool grupoIPclientePPTP
 no keepalive
 ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
 ip address 192.168.8.2 255.255.255.0
 ip access-group 111 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50
ip default-gateway 204.68.72.194
ip classless
ip route 0.0.0.0 0.0.0.0 204.60.72.194
ip route 192.168.0.0 255.255.0.0 Tunnel8
ip route 192.168.1.0 255.255.255.0 Tunnel8
ip route 192.168.5.0 255.255.255.0 Tunnel8
ip route 192.168.8.0 255.255.255.0 Vlan1
ip route 192.168.81.0 255.255.255.0 Tunnel351
!
no ip http server
no ip http secure-server
ip nat pool traduccion 204.60.72.193 204.60.72.193 netmask 
255.255.255.252
ip nat inside source list 100 pool traduccion overload
ip nat inside source static tcp 192.168.8.7 25 204.60.72.193 25 
extendable
ip nat inside source static tcp 192.168.8.7 80 204.60.72.193 80 
extendable
ip nat inside source static tcp 192.168.8.7 110 204.60.72.193 110 
extendable
ip nat inside source static tcp 192.168.8.7 143 204.60.72.193 143 
extendable
ip nat inside source static tcp 192.168.8.7 5900 204.60.72.193 6007 
extendable
!
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit ip 194.140.64.0 0.0.31.255 any
access-list 110 permit ip host 62.97.66.136 any
access-list 110 permit ip 192.0.0.0 0.255.255.255 any
access-list 110 permit gre host 80.36.126.67 host 204.60.72.193
access-list 110 permit tcp any host 204.60.72.193 eq smtp
access-list 110 permit tcp any host 204.60.72.193 eq 6024
access-list 110 permit tcp any host 204.60.72.193 eq 6050
access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp-data log
access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp log
access-list 110 permit tcp any host 192.168.8.4 eq domain
access-list 110 permit udp any host 192.168.8.4 eq domain
access-list 110 permit tcp any any eq 81
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any eq www any
access-list 110 permit tcp any eq smtp any
access-list 110 permit tcp any eq 443 any
access-list 110 permit udp any eq domain any
access-list 110 permit tcp any eq domain any
access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 110 permit tcp 135.76.213.240 0.0.0.15 any eq telnet
access-list 110 permit tcp host 80.44.216.45 any eq telnet
access-list 110 permit tcp any any
access-list 110 permit udp any any
access-list 110 permit gre host 143.76.213.250 host 204.60.72.193
access-list 110 permit gre host 143.76.213.228 host 204.60.72.193
access-list 110 permit tcp any host 204.60.72.193 eq 6007
access-list 110 permit ip any any
access-list 110 permit gre host 201.216.254.145 host 204.60.72.193
access-list 111 permit ip any any
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password 7 105C060C111200535B55
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

mARIO#


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Current thread:

Help hardening router mzcohen2682 (Mar 08)
- Re: Help hardening router David Goldsmith (Mar 09)
- Re: Help hardening router John Morrison (Mar 09)
  - Re: Help hardening router Mike Hale (Mar 09)
- RE: Help hardening router Jatmoko, Arif (ID - Jakarta) (Mar 09)
- Re: Help hardening router Alex (Mar 09)
- Re: Help hardening router Curt Shaffer (Mar 09)
  - Re: Help hardening router Dave LaDuke (Mar 10)
- Re: Help hardening router doug schmidt (Mar 10)
  - RE: Help hardening router Michael Yelland (Mar 15)
- <Possible follow-ups>
- FW: Help hardening router Craig S. Wright (Mar 09)