router security

Answered Question
Jan 1st, 2008

I have cisco router connected to internet with no firewall.I want to allow internet connection for internal user and only easy VPN connection(using VPN client) from outside to internal network ,,how I could acheive this????

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 11 months ago

Hi

It's not administratively shutdown but it is in effect shutdown as there is nothing connected to it.

However the big difference is that if it is administratively shutdown and someone connects a UTP cable into it then it will stay down.

If it is not administratively shutdown and a cable is connected then it may well come up.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
JORGE RODRIGUEZ Tue, 01/01/2008 - 20:21

Mohammand, If you could provide a bit of more information as to type of router we could perhaps direct you on the right direction a bit better, reason is your router must have the correct ios code to support vpn,you would need at least Enterprise plus Ipsec 3des ios image that can provide for Ipsec vpn capabilities.

You may also look into your current IOS image in software advisory at

http://www.cisco.com/public/sw-center/index.shtml choose Find software with the features I need and enter your router model, look into IPsec 3DES,perhaps you already have the correct ios image.

For creating vpn server in your router you may look into implementation of Cisco Easy VPN, here you will find all relevant information on Ipsec and configuration examples.

http://www.cisco.com/en/US/products/ps6659/products_ios_protocol_option_home.html

As for your router connecting to your ISP and providing inside user to internet connection, you could do it with this basic script example, lets assume ISP gives you static IP for your router intertace connecting to ISP. Say router fastethernet0/0 is defined as your outside nat interface, and router fastethernet0/1 your inside nat interface.

Router1

interface fastethernet0/0

Description ISP__outside_interface

ip address 20.20.20.1 255.255.255.252

ip nat outside !

no shut

interface fastethernet0/1

ip add 192.168.1.1 255.255.255.0

ip nat inside

no shut

ip nat pool mypool 20.20.20.1 20.20.20.1 netmask 255.255.255.252

ip nat inside source list 100 mypool overload

access-list 100 permit ip 192.168.1.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 ISP_router_interface_IP_address

Since you do not have firewall you may want to consider firewall IOS image if not the implementing ACLs to protect your network, refer to this link for more acl details in protecting your edge-internet router.

protecting your Edge-internet router

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml

Rgds

Jorge

rate any helpful posts

Related to the same issue, there was an Auditing question raised by our IT Auditors where they asked us to provide evidence to their question of :

-Are unused interfaces disabled on our routers?-

Our router is 2811, running on IOS 12.4

My reply to them was, whichever interface is not physically connected to the outside/inside world and actively exchanging data, is automatically in the shutdown mode, and we do not need to explicitly give it the command of 'shutdown'.

Even though the auditors agreed to this, I was wondering if that presumption is indeed correct! Can someone advise!!

Rgds

JORGE RODRIGUEZ Tue, 01/01/2008 - 22:44

Hi, this is very good question, I think it all depends on companies and how much they are willing to go with building and applying the standards I am sure there is a specific link out there that can provide with best practice in securing your inside network, but you can look at some good links here.

For example on not used ports in my company we do not shut them down but rather placed them in a dead vlan with other port security protection such as 802.1x etc. for the switches, as for the routers I do shutdown unused interfaces but I have worked in other companies where they did not accept this practice.

You may find some useful information in this link.

http://www.cisco.com/en/US/netsol/ns625/networking_solutions_package.html

Personally I tend to follow Cisco recommendations following their design guidelines you can find a lot of information in network designing and best practice supporting it, I know it is tedious but we have no choice but to read it and based on this you may recommend it out in the real world.

Guides

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_program_home.html

Also, for router security this is a very good link, paste your show run router configuration and the output will be given with recommendations of flaws in your configuration pertaining to security.

https://www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl

Rgds

Jorge

Thanks for all the nice links links especially the output interpreter. This nify tool was hidden from me all along for some mysterious reason. The beuty is it even taken the output of PIX but the results are not all that great, unlike router's output.

Anyways, one of queries still remains unaswered...and that is the Auditors query where they were asking me make sure that all unused interfaces were in a 'shutdown' state.

My contention was, if a wire (UTP/fiber etc) aren't connected to any interface of the router, it's automatically put to the 'shutdown' mode.

Is that assumption correct or flawed from the 'router security' perspective?

Correct Answer
Jon Marshall Wed, 01/02/2008 - 03:56

Hi

It's not administratively shutdown but it is in effect shutdown as there is nothing connected to it.

However the big difference is that if it is administratively shutdown and someone connects a UTP cable into it then it will stay down.

If it is not administratively shutdown and a cable is connected then it may well come up.

Jon

Actions

This Discussion