Security Basics mailing list archives
FW: Help hardening router
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Tue, 9 Mar 2010 12:36:19 +1100
ARGGG! Always obscure the details. It is clear you are not experienced with Cisco security. As such, I would start with an automated tool such as the router audit tool (RAT) and Nipper. You get these from the following sites respectively: Centre for Internet Security (CIS) website http://www.cisecurity.org/bench_cisco.html. Nipper, (Network Infrastructure Parser) http://sourceforge.net/project/showfiles.php?group_id=191582&package_id=2260 95&release_id=580416 Nipper was previously known as CiscoParse. Also see http://www.iso27001security.com/ISO27k_router_security_audit_checklist.rtf The "Router Checklist Procedure Guide -- Supplement to the Network Infrastructure Checklist" that is available from http://csrc.nist.gov/checklists/repository/1059.html, which is maintained by NIST and DISA; with the NSA (http://www.nsa.gov/snac/downloads_all.cfm) checklists together make a comprehensive combination. The CIS standards (http://www.cisecurity.org/bench_cisco.html) are also effective and are aligned with the RAT tool. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mzcohen2682 () aim com Sent: Tuesday, 9 March 2010 7:27 AM To: security-basics () securityfocus com Subject: Help hardening router HI ALL ! I have a task to harden a small organization router, today the have only the router and they dont use a FW. Im pasting here the config (not before changing the Ip's ) can someone recommend which commands to implement in order to harden the router? they use some VPN's and the admin configs the router throw telnet. another thing.. how I know if this IOS supports SSH? also in the endo of the access list they have a line saying: access-list 111 permit ip any any I think this is bad config right? thanks a lot all !! joe MARIO#sh run Building configuration... Current configuration : 4851 bytes ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption no service dhcp ! hostname mario ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging enable secret 5 $1$3pD5$Nd5kRQonH.zmpZ3rzyn1G0 enable password 7 01119908410A0800 ! username martin password 7 011E090A4F041200 aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization network default none aaa session-id common ip subnet-zero ip cef no ip dhcp conflict logging ip dhcp excluded-address 192.168.8.1 192.168.8.100 ! ip dhcp pool pool1 network 192.168.8.0 255.255.255.0 default-router 192.168.8.2 dns-server 204.60.193.1 192.168.8.4 204.60.193.2 ! ! ip dhcp-server 192.168.8.2 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! no ftp-server write-enable ! ! ! ! ! ! ! interface Tunnel8 description Tunel israel Central ip unnumbered FastEthernet4 ip route-cache flow no ip mroute-cache tunnel source FastEthernet4 tunnel destination 195.77.213.228 ! interface Tunnel351 description Tunel sucursal Cordoba Argentina ip unnumbered FastEthernet4 ip route-cache flow no ip mroute-cache tunnel source FastEthernet4 tunnel destination 204.60.231.161 ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 ip address 227.68.72.193 255.255.255.252 ip access-group 110 in no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly duplex auto speed auto ! interface Virtual-Template1 ip unnumbered FastEthernet4 peer default ip address pool grupoIPclientePPTP no keepalive ppp authentication ms-chap ms-chap-v2 ! interface Vlan1 ip address 192.168.8.2 255.255.255.0 ip access-group 111 in ip nat inside ip virtual-reassembly ip route-cache flow ! ip local pool grupoIPclientePPTP 192.168.160.1 192.168.160.50 ip default-gateway 204.68.72.194 ip classless ip route 0.0.0.0 0.0.0.0 204.60.72.194 ip route 192.168.0.0 255.255.0.0 Tunnel8 ip route 192.168.1.0 255.255.255.0 Tunnel8 ip route 192.168.5.0 255.255.255.0 Tunnel8 ip route 192.168.8.0 255.255.255.0 Vlan1 ip route 192.168.81.0 255.255.255.0 Tunnel351 ! no ip http server no ip http secure-server ip nat pool traduccion 204.60.72.193 204.60.72.193 netmask 255.255.255.252 ip nat inside source list 100 pool traduccion overload ip nat inside source static tcp 192.168.8.7 25 204.60.72.193 25 extendable ip nat inside source static tcp 192.168.8.7 80 204.60.72.193 80 extendable ip nat inside source static tcp 192.168.8.7 110 204.60.72.193 110 extendable ip nat inside source static tcp 192.168.8.7 143 204.60.72.193 143 extendable ip nat inside source static tcp 192.168.8.7 5900 204.60.72.193 6007 extendable ! access-list 100 permit ip 192.168.8.0 0.0.0.255 any access-list 110 permit ip 192.168.0.0 0.0.255.255 any access-list 110 permit ip 194.140.64.0 0.0.31.255 any access-list 110 permit ip host 62.97.66.136 any access-list 110 permit ip 192.0.0.0 0.255.255.255 any access-list 110 permit gre host 80.36.126.67 host 204.60.72.193 access-list 110 permit tcp any host 204.60.72.193 eq smtp access-list 110 permit tcp any host 204.60.72.193 eq 6024 access-list 110 permit tcp any host 204.60.72.193 eq 6050 access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp-data log access-list 110 permit tcp any 192.168.8.0 0.0.0.255 eq ftp log access-list 110 permit tcp any host 192.168.8.4 eq domain access-list 110 permit udp any host 192.168.8.4 eq domain access-list 110 permit tcp any any eq 81 access-list 110 permit tcp any any eq www access-list 110 permit tcp any eq www any access-list 110 permit tcp any eq smtp any access-list 110 permit tcp any eq 443 any access-list 110 permit udp any eq domain any access-list 110 permit tcp any eq domain any access-list 110 permit tcp 192.168.0.0 0.0.255.255 any eq telnet access-list 110 permit tcp 135.76.213.240 0.0.0.15 any eq telnet access-list 110 permit tcp host 80.44.216.45 any eq telnet access-list 110 permit tcp any any access-list 110 permit udp any any access-list 110 permit gre host 143.76.213.250 host 204.60.72.193 access-list 110 permit gre host 143.76.213.228 host 204.60.72.193 access-list 110 permit tcp any host 204.60.72.193 eq 6007 access-list 110 permit ip any any access-list 110 permit gre host 201.216.254.145 host 204.60.72.193 access-list 111 permit ip any any ! control-plane ! ! line con 0 no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 password 7 105C060C111200535B55 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 end mARIO# ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Help hardening router mzcohen2682 (Mar 08)
- Re: Help hardening router David Goldsmith (Mar 09)
- Re: Help hardening router John Morrison (Mar 09)
- Re: Help hardening router Mike Hale (Mar 09)
- RE: Help hardening router Jatmoko, Arif (ID - Jakarta) (Mar 09)
- Re: Help hardening router Alex (Mar 09)
- Re: Help hardening router Curt Shaffer (Mar 09)
- Re: Help hardening router Dave LaDuke (Mar 10)
- Re: Help hardening router doug schmidt (Mar 10)
- RE: Help hardening router Michael Yelland (Mar 15)
- <Possible follow-ups>
- FW: Help hardening router Craig S. Wright (Mar 09)