11-18-2008 07:49 AM - edited 03-11-2019 07:14 AM
Can access lists be hacked? If should be put in place in the event they got hacked? Is there additional security on the router or is a FW appliance needed?
11-18-2008 02:19 PM
Shane
I am not sure that I fully understand your question. If someone gains access to privilege mode in your router (or switch) they could hack access lists (as well as other things). So to protect your access lists it is important to protect access to your router. Some of the things that you can do to protect your router include:
- restrict remote access to the device by using standard access lists applied to the vty lines by access-class.
- restrict remote access to the device to use SSH and disable telnet access by using the command transport input ssh under line vty.
- have strong authentication. The best is to configure AAA authentication to use an external authentication server like ACS and use local authentication only as a backup if the authentication server is not available.
- use the AAA accounting feature to log the privilege level 15 commands (including configuration commands) to the AAA server so you can track what changes have been made.
HTH
Rick
11-19-2008 05:43 AM
I do have strong access lists but wanted to add deep inspection, then i thought the deep inspection would be pointless because the ACL's are doing the security. I was just trying to research if there was something in addition to ACLS, but i guess as long as the ACLs are strong there is nothing else to do.
11-19-2008 01:24 PM
Here's a list of packet filtering methods in order from least secure to most secure:
1. (ios based) access-lists
2. ios access-lists using the estabished keyword
3. ios reflexive acl's
4. ios firewall feature set - inspection + acl's
5. true stateful firewall (eg pix/asa) using acl's.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: