Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Jeff, what no port zero? 

Rawa, what Jeff is showing, a edge device might be attacked on any port.

As a general rule, what you want to do is start by blocking all external traffic directed to the network device ITSELF.  But I don't mean traffic that's directed to the network device as a transit device.  (Understanding the difference between traffic directed to the network device as a host and traffic directed to network device as a transit, is important for defining security.)

You can then permit, very selectively, traffic that's allowed into the network device itself.  For example, you might allow BGP from a known BGP peer.  Or you might allow SSH to the device (if you needed to allow remote device access).

You can also deny, selectively, network traffic that wants to transit your device.  For example, you might deny traffic that has enabled source routing or has what appears to be invalid attributes.  An example of the latter, if your router was in front of some web servers and a mail server, you might block all non-HTTP/HTTPS traffic not directed to those web servers and/or SMTP not directed to the mail server.  (This latter isn't about protecting your edge device itself, but protecting your interior network.)

Dear

The answer to 'can I protect this router with an ACL and other built-in services' is most likely yes. The answer to 'can I protect this internal network that this router is servicing' is most likely 'it depends'. You need to specifically describe what you are trying to protect and what you are attempting to protect it from.

Sent from Cisco Technical Support iPad App

dear Jeff

I want to Protect my Edge Router and my Network From Attacer and milicous Packet , then i want to know can i prtotect my network and router by ACL ? if i can , how can i do that ? i need to block which port by ACL ? If not ,is it protect by ASA Firewall ?

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

please i didnt run BGP on this router ,please can i protect this router or network from attack by ACL ? or need to install ASA Firewall ?

Yes, you can protect your router from attack using ACLs.  Regarding protecting the rest of your network, i.e. do you need something like an ASA, that depends on the security needs of the rest of your network.

What firewalls offer, that "normal" ACLs usually don't do, is basing security on session state.  I.e. Firewalls often will restrict some/much external traffic to return traffic (some host on the inside had to start the session).

But do you need a firewall?

Again, depending on your interior network security needs, security features of a router might be sufficient.  For example, you might only allow return traffic using a reflective ACL (http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfreflx.html).  Or you might only allow TCP traffic that has the established bit set (could be spoofed but unless it matches what's expected by the directed to host, the host will drop).  If you use NAT, return traffic much match an outbound session.  Additionally, beyond ACLs, Cisco routers often support a security feature set that will provide additional firewall features, such as CBAC (http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html) or ZFW (http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html).

A dedicated firewall device, such as an ASA, is often needed when your security requirements cannot be met by the above.  Is this true for you?  Don't know.  If you don't know, that's a question probably better answered obtaining personal consultation.  Network security, as a subject, is complex enough that Cisco offers secuity certifications from CCNA to CCIE.

Dears

Only IPS can protect the network from Attack ? or ACL can filter Attack port ?