Step-by-step tutorial on "hardening" a Cisco Small Business Router...
I would REALLY appreciate someone pointing me towards some good, easy to follow advice on setting up a router / firewall such as the "RV" series (we are using an RV110w series).
More specifically, some advice on the "best practices" that people recommend in terms of making this device as secure as possible from outside intrusion. (I do realize there is quite a bit of 'general' information contained within the manual, however there really doesn't seem to be much in the way of "this is what you can do....but this is what we recommend that you do!").
Totally get that everyone has different goals, restrictions, and use cases ....this is obvious. But after purchasing this device in the hope that it would offer us a "much better" level of network protection (esp. firewall capabilities), I am finding it very difficult to find good information and instruction about how to set it up "the right way". (Also notice that there is a HEAP of stuff out there which requires the command line or IOS in order to implement......not so much for us lowly users who need to rely on the basic GUI).
The specifics of what we want to achieve:
1) Maximum protection for our small LAN (comprised of a mix of Apple(OSX) and Windows machines.
2) Complete explanation of which features should / shouldn't be turned on or off (in light of above) .....including pros and cons of doing so.
3) Any general tips, tricks or workarounds which can be utilized to really "harden" this device as much as possible. (eg. is it better to completely disable bonjour, IPV6, UPnP etc. to create a more robust and secure environment?)
Although I realize this device is sold and promoted specifically for its VPN functionality....we are at this stage not needing or wanting to use any VPN whatsoever.
We really just need this box to provide reliable and secure internet access for our LAN machines..... we don't want or need any kind of remote access, ssh, ftp or any "extras" at this point (especially given that these will likely just create more possible vectors for intrusion!?).
Ideally, I would just like to lock down and/or obfuscate as many ports and functions as possible whilst still allowing "normal" internet functionality for the LAN client browsers.
Something like this, but perhaps with clear, step-by-step "how to's" would be great!:
(am assuming that there is still quite a lot that can be done via the GUI before it becomes necessary to use command line?)
Currently the RV is connected to a Motorolo cable modem via the WAN port (the moto gets a static ip from the ISP however I was advised on another forum to leave the option of "Enable DHCP Server" turned ON (even though this would seem to be counter-intuitive given that the RV is supposed to be doing the DHCP stuff?)
I couldn't even find clear instruction on whether the RV should be in "Gateway" or "Router" mode (it is in gateway currently as this is what the GUI wizard set up.
Clearly I am not an expert in this field, however I know enough to know that there are ways to make this device more secure (and something better than just running a wizard and hoping for the best!).
Looking forward to your thoughts, ideas and suggestions!!
Step-by-step tutorial on "hardenning" a Cisco Small Business Rou
Thanks for the tip
Yes, I have indeed read through the manual ....several times in fact. While there is certainly a plentitude of technical feature descriptions, what I find lacking is some actual "real world" / pratical commentary about said features!
Remember, this unit is sold and marketed as a "Small Business" router and as such, I don't think it is particularly unthinkable that a large majority of end users are therefore likely to be individuals who run "small businesses" like I do. In other words, by definition, the intended customer is not as likely to have a full-time CTO / CSO on hand to implement and properly set-up these lower-end devices.
Clearly CISCO are aware of this, hence their use of a "one click wizard" on the GUI (and distinct lack of [as far as I can tell] any IOS or web-managed funcionality).
While the wizard / GUI is great..... there is still a giant chasm between these "default" settings and actually getting the device properly set-up to achieve the end user's desired outcomes (which in my case I have already articulated above.)
I am NOT a network/sys admin, but I do understand the basic concepts associated with administrating and protecting a small network such as ours (and yes, I can read a manual too!). I also understand that making good, practical, well-documented "how-to and here's why" information available would go a long way to assisting customers like me achieve their goals.
Example of what I am talking about, taken from page 52 of the 150 page manual:
...half a page of technical explanation of 'what' and 'how' it works:
Configuring Routing (RIPng)
RIP Next Generation (RIPng) is a routing protocol based on the distance vector (D-V) algorithm. RIPng uses UDP packets to exchange routing information through port 521.
RIPng uses a hop count to measure the distance to a destination. The hop count is referred to as metric, or cost. The hop count from a router to a directly-connected network is 0. The hop count between two directly-connected routers is 1. When the hop count is greater than or equal to 16, the destination network or host is unreachable.
By default, the routing update is sent every 30 seconds. If the router receives no routing updates from a neighbor after 180 seconds, the routes learned from the neighbor are considered as unreachable. After another 240 seconds, if no routing update is received, the router removes these routes from the routing table.
...followed by just one sentence to let me know this feature is turned off by default:
Assuming this is a standard NAT router your probably well protected from the get go.
Yes you want it to be a router (assuming the motorola is the modem).
The router will probably allow outgoing traffic by default and block incoming by default due to a combination of firewall rules and NAT.
So to make it more secure.
Dont add WAN to LAN firewall rules unless you have to. (ensure they are set to deny as the default)
Restrict LAN to WAN firewall rules (assuming its wide open right now - which is standard in the consumer world) to only the oubound services you want people behind the router to be able to use.
Use scheduling to restrict any access (for example if no one is in on weekends shut down access for the weekends ie only really needs to be up during working hours, restrict all other times).
Yup dont turn on UPNP
Make sure the default user password is changed and is a long as random as possible.
IF you need to remotely manage the router from away or home, suggest you use VPN tunnel method to reach the router and then https via the web gui. (https by itself is good enough for learning and initial setup until vpn method established).
Step-by-step tutorial on "hardenning" a Cisco Small Business Rou
Thanks for the post .... yeah, I have been trawling through dslreports and a few other sites looking for answers. Not much luck thus far unfortunately..... I think it might be a combination of this router still being quite new (to the market) and also that most people seem to be running some flavour of openwrt etc. (which I don't think the RV series can support yet?).
Your suggestion about running the deive in "router" mode does make sense .....and is what I was kind of flumoxed on myself. The logical thing would be to do this given that, A) this is a "router" afteralll; and B) that I am connecting this devive to a motorola modem which is our "gateway" to the internet....
Unfortunately, the manual doesn't help matters much (and in fact makes it even more confusing)...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...