Layered Line of Defense

schroed · ‎03-22-2004

Hi All;

I have a layered line of defense in trying to prevent outside unwanted traffic and attacks (ie..Spoofing, DDOS).

Currently I incorporate the usual OS updates, viral detections, and non-Cisco brand firewalls.

I also have two (2) Cisco routers that basically pass-through traffic to the firewalls, letting them filter out.

I would like to also edit my router configs to

filter out unwanted traffic. Here are my configs for both routers. Any help would be appreciated with setting up some ACLs. TIA, Steve

ROUTER 1

Using 1074 out of 29688 bytes

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname

!

ip subnet-zero

ip domain-name

ip name-server

!

interface FastEthernet0/0

description to

ip address

no ip directed-broadcast

duplex auto

speed auto

!

interface Serial0/0

description to

bandwidth 1536

no ip address

no ip directed-broadcast

encapsulation frame-relay IETF

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

bandwidth 1536

ip unnumbered FastEthernet0/0

no ip directed-broadcast

frame-relay interface-dlci 500 IETF

!

interface Serial0/1

no ip address

no ip directed-broadcast

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

no ip http server

!

no scheduler allocate

end

ROUTER 2

Using 1075 out of 29688 bytes

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname

!

ip subnet-zero

!

ip domain name

ip name-server

!

interface FastEthernet0/0

description To

duplex auto

speed auto

!

interface Serial0/0

description To

bandwidth 1536

no ip address

encapsulation frame-relay IETF

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

bandwidth 1536

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 500 IETF

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

no ip http server

end

tbaranski · ‎03-22-2004

There are a few different schools of thought on this. I'm in the "leave the filtering to the firewalls" camp, because firewalls are meant to filter traffic and routers are not. So unless there are hosts in between the routers and firewalls, I wouldn't put ACLs on the router other than to restrict management traffic (Telnet, SNMP, etc.) to the router itself.

schroed · ‎03-23-2004

Thanks for your response.

You're probably correct with leaving the routers "unfiltered". Here is what I have for telnet login in the config:

line con 0

password

login

transport input none

line aux 0

line vty 0 4

password

login

Is there a way to lock this down further. Thanks in advance, Steve

vmiller · ‎03-23-2004

put an access group on the vty lines. I'll assume that your device is in a secure facility, if you can make sure you run tacacs to record any logins

schroed · ‎03-24-2004

Thanks everyone for your replies.

With regards to tacacs to record logins, what are the commands for the config file? Or is there a URL that show this setup.

Also is there a entry in the config that I can enter to specify an IP where the log files can be written?

Thanks, Steve

tbaranski · ‎03-24-2004

You can specify a Syslog server with "logging host (ip-address)". I've never used TACACS -- you should be able to find configuration information by searching for it on this site or Google.

tbaranski · ‎03-23-2004

As mentioned, you can apply an access-list to the VTY lines to that only specifics hosts/subnets can Telnet to the router. For example:

access-list 1 permit 10.1.1.0 0.0.0.255

line vty 0 4

access-class 1 in

rjackson · ‎03-24-2004

I dont think you want to use TACACS for routers outside of your firewall. It would force you to punch an inbound hole in your firewall to access, of all things, your authentication server.

Use local authentication or better yet, do not allow telnet access to external routers. Use reverse telnet to the console ports.

vcjones · ‎03-25-2004

I'm from the other school, which believes that every router should be locked down as far as possible to both protect the router and provide an extra layer of protection. In particular:

Routers outside the firewall should filter out all traffic coming in any port which does not make sense (inside source addresses in packets from the outside, inside destination addresses in packets from the inside, martian & broadcast source & destination addresses from anywhere, etc.)

Management traffic should only be accepted from inside addresses coming in from inside ports. Need access from the Internet? Set up an ssh server inside the firewall, ssh to it and telnet back to the router (or ssh if the router supports that). Even if the router supports ssh, force outside access to go through the firewall so you can detect someone knocking on the door.

Don't expect the router to protect you from anything, but do expect it to reduce the random noise the firewall is reporting so you can pay more attention to the firewall and have a better chance to detect real attempts to get in.

As always, your mileage may vary. For more on locking down routers, see Chapter 8 of my book, the numerous articles here on www.cisco.com, and search www.sans.org for cisco details.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com