Richard Burts Tue, 11/18/2008 - 14:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I am not sure that I fully understand your question. If someone gains access to privilege mode in your router (or switch) they could hack access lists (as well as other things). So to protect your access lists it is important to protect access to your router. Some of the things that you can do to protect your router include:

- restrict remote access to the device by using standard access lists applied to the vty lines by access-class.

- restrict remote access to the device to use SSH and disable telnet access by using the command transport input ssh under line vty.

- have strong authentication. The best is to configure AAA authentication to use an external authentication server like ACS and use local authentication only as a backup if the authentication server is not available.

- use the AAA accounting feature to log the privilege level 15 commands (including configuration commands) to the AAA server so you can track what changes have been made.



netsquant Wed, 11/19/2008 - 05:43
User Badges:

I do have strong access lists but wanted to add deep inspection, then i thought the deep inspection would be pointless because the ACL's are doing the security. I was just trying to research if there was something in addition to ACLS, but i guess as long as the ACLs are strong there is nothing else to do.

srue Wed, 11/19/2008 - 13:24
User Badges:
  • Blue, 1500 points or more

Here's a list of packet filtering methods in order from least secure to most secure:

1. (ios based) access-lists

2. ios access-lists using the estabished keyword

3. ios reflexive acl's

4. ios firewall feature set - inspection + acl's

5. true stateful firewall (eg pix/asa) using acl's.


This Discussion