I've got a Cisco 2811 router which I'm installing as the link to our ISP, i.e. it's a border router
(outside our firewall and the next hop to the ISP's router).
It's a very simple setup - 2 interfaces (1 connected to the Internet and 1 to our firewall) and just
1 static route (a default route) going out to the Internet and no dynamic routing protocols.
I need to make it secure and was wondering if there was a best practices document. So far I've
connected to the web based SDM on the router and run the security lockdown feature. However I've
seen pictures on the Internet of a client based SDM which looked to have much more features than the
web based one. Is this still available and if so does it have more security features?
Is there a CLI based one step lockdown for the router?
Also, should I put an access list on the outside interface? Should I block traffic to the router
itself and just allow it to pass traffic through? Should I be blocking private address ranges from
the Internet side? What about multicast addresses (we are not running multicasting)? And perhaps
the address range on the outside of our firewall and inside interface of the router (anti-spoofing)?
Any advice appreciated,