Invisible Router Interface

Unanswered Question
Dec 14th, 2011
User Badges:

I'm interested in learning how to make a router interface as secure as possible. For example, consider a router whose main function is to connect a branch to an MPLS WAN, but also has a cable modem on Fa0/1 used for a VPN tunnel when the WAN goes down. I'd like Fa0/1 to be essentially invisible on the Internet, only permitting the required traffic for the VPN tunnel. To be clear, this discussion will not apply to 99% of routers, just to very special-purpose interfaces.


Here's what I've come up with. 169.254.0.1 is a placeholder for the local router's Internet IP address, and 169.254.111.111 is a placeholder for the remote router's Internet IP address:


ip access-list extended internet-in

deny ip any any option any-options

permit ip host 169.254.111.111 host 169.254.0.1

permit icmp any host 169.254.0.1 packet-too-big

ip access-list extended internet-out

deny ip any any option any-options

permit ip host 169.254.0.1 host 169.254.111.111

interface FastEthernet0/1

ip address 169.254.0.1 255.255.0.0

ip access-group internet-in in

ip access-group internet-out out

no ip unreachables

no ip proxy-arp

no cdp enable

(if anyone knows how to get indents to stick, let me know and I'll fix it)


  • IP options are blocked to prevent spoofed source-routed packets from tunneling through the ACLs.
  • I just permit the bidirectional traffic based on IP address for now, but may lock it down to certain protocol numbers eventually.
  • PMTUD packets are speficially permitted from any source.
  • I want to be invisible to a port scan, so I disable IP unreachables.
  • Disabling proxy ARP and CDP are probably the least important, since they only impact the local subnet. But they both can leak information about the inside subnets.
  • There are a few commands I intentionally left out, because the strict ingress filtering makes them irrelevant. (e.g. disabling snmp)


My main concern with this is that I have no way of knowing what else I might be missing. It would be good if there were a Cisco document that documented this scenario. (I basically would like to see an official template of how to make an "invisible" interface, and then backtrack from there.) I was told that creating a post here was the best way of getting to the right people.


Are there any other commands that I should add? Is there a simpler or more foolproof way of doing this? The main thing I don't like about it is that the ACL does not apply to traffic originating from the router itself. (And I don't know exactly what that means either.) One misconfiguration (e.g. enabling RIP) could cause the router itself to start sending unwanted traffic out the interface. I'd like it if I could tell the router to enable the egress filtering even for traffic originating from the router. Then I wouldn't have to worry about figuring out all the protocols that could be active on the interface, disabling them individually.


Or maybe there is an existing Cisco document explaining this scenario?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Leo Laohoo Wed, 12/14/2011 - 13:24
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

permit ip host 169.254.111.111 host 169.254.0.1

permit icmp any host 169.254.0.1 packet-too-big

permit ip host 169.254.0.1 host 169.254.111.111

ip address 169.254.0.1 255.255.0.0

169.254.X.X???   Seriously???

Actions

This Discussion

Related Content