Basic security Features !

Unanswered Question
Jan 5th, 2009

Give some suggestions applying important security feature in 1841 router.

It connects to leased line n got 8 public ips in lan side.

Purpose is to allow 12 users to use initernet.but users got private ips from main DHCP server where i can mention the gateway or the router.

Can it be done only with NAT?

If only NAT pretect the whole network?

How to prptect external attack.?We need to allow traffic orinate from internal Network only.

GIve a details of wht are the external attacks need to be mitigated.

thanx

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Tue, 01/06/2009 - 14:10

Hey Vannam

Yeah.. you gotta use NAT and do translation on the router.. you can actually do a global PAT, and translate all the users private IP to , say the interface IP address.. This will make sure that the outbound connections are secure, and ip addresses are hidden..

To secure the router overall you can consider enabling auto-secure feature, if you have 12.4 IOS.. this will turn off all unnecessary processes , like http, finger service etc.. you can also put an access-list on the outside interface (connecting to internet) and allow only specific IP addresses.. YOu can block RFC 1918 private ip addresses from outside, as you dont need them.. If you need more security, you can have a dedicated IPS on the outside segment, as the router internal IPS has really less signatures...

Basically you can harden your router, to increase the security on it.. search for router hardening in CCO, and you will find many docs..

hope this helps.. allthe best

Raj

vannacisco Tue, 01/06/2009 - 23:13

Thank U !

i hope i can run SDM n create the security features.

Whether we can download ips/ids signatue files free from CISCO if we have CCO password?

thnx.

vannacisco Wed, 01/07/2009 - 00:05

In addtion to the Nat, I need to block pcs with their Mac address only passing thro' the ethernet interface.

Want to create a sub-interface in Lan side grouping all the pcs( Mac address wise),nating the VLAN to a our Global IP addresses.

will the idea work?

thanx

vanna

Actions

This Discussion