Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help me protect my LAN?

Hi guys,

I read the latest 2600 and it made me nervous. It said there was a way for hackers to attack a cisco router with a flood attack and put it into a mode where all the router will do is route packets and drop its security. The hacker can then pull the config file and have their way with your network.

That being said, I went out and bought the book "Hardening Cisco Routers" and tried to follow it to the best of my abilities. I am just a student, not a professional so, please bear with me.

Here is a copy of my current config:

Current configuration : 1304 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname

!

enable secret 5

!

ip subnet-zero

no ip source-route

!

no ip bootp server

!

!

!

!

interface Ethernet0

ip address dhcp

no ip proxy-arp

ip nat outside

!

interface Ethernet1

ip address 192.168.1.1 255.255.255.0

no ip proxy-arp

ip nat inside

!

ip nat inside source list 1 interface Ethernet0 overload

no ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run

banner login ^C

WARNING!!!

This system is soley for the use of authorized users for official purposes.

You have no expectation of privacy in its use and to ensure that the system

is functioning properly, individuals using this computer system are subject

to having all of their activities monitored and recorded by system

personnel. Use of this system evidences an express consent to such

monitoring and agreement that if such monitoring reveals evidence of

possible abuse or criminal activity, system personnel may provide the

results of such monitoring to appropriate officials.

^C

!

line con 0

password

login

line vty 0 4

exec-timeout 0 1

no login

no exec

transport input none

!

end

I don't see anything in here that will defeat a flood attack. Can anyone offer any suggestions to help make my router even more impervious to attack?

Thanks, Chris

  • Other Network Infrastructure Subjects
4 REPLIES
Silver

Re: Help me protect my LAN?

Chris,

There are thousands of different type of attacks and a different remedy for most of them. I would recommend starting with the basics, which you can do with the router and code you are running. The following is a link to NSA (National Security Agency) with security hardening recommendations for Cisco routers. http://nsa1.www.conxion.com/cisco/download.htm

Different exploits (Code Red Virus for example) took advantage of router's fast switching cache by the amount of connections it would attempt to setup. Enabling CEF would help your router's memory.

After you do your risk assesment and determine what your risk is and what you're trying to protect you might find that you want to look into the Firewall Feature set, TCP-Intercept, CBAC, SSH, and other security enhancements that have been put into IOS.

Here is a link on TCP syn type DOS attacks that might help you:

http://www.cisco.com/en/US/partner/tech/tk648/tk364/technologies_tech_note09186a00800f67d5.shtml

Looks like your doing a pretty good job so far from your configuration...

Hope this helps,

Don

New Member

Re: Help me protect my LAN?

Thank you for you response.

I did get a copy of the IOS feature set but, I still have to figure out how to use it. :) I am also still trying to figure out the proper use of access lists. If anyone could suggest any good books on either topic, I would be in their debt.

2600 is a scary mag. They make it sound so easy! But, I guess it can't be or the whole internet would ground to a halt.

Of all the networking topics I have studied, security is definitly the most interesting.

Silver

Re: Help me protect my LAN?

Here is a good link for ACL basics. Getting on CCO and searching on Access-list or access lists, or ACL will lend a lot of information for you on this.

http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

Hope this helps,

Don

New Member

Re: Help me protect my LAN?

A flood Attack is difficult, but there a few things that is the best practice in security. Remember: Attack is not quite that simple, and follow not only availability, but confidentiality and integrity.

Add this lines on your config:

no service finger

service tcp-keepalives-in

service tcp-keepalives-out

aaa new-model

aaa authentication login default local

enable secret 5 $1$/fJS$XZJDfMrV4ksikDch4yrCL.

!

username whatever password 7 0538030C731C1E58150400

interface Ethernet

no ip redirects

no ip unreachables

no ip directed-broadcast

no ip proxy-arp

access-list 101 deny udp any any eq bootps log

access-list 101 deny udp any any eq bootpc log

access-list 101 deny udp any any eq tftp log

access-list 101 deny udp any any eq 79 log

access-list 101 deny udp any any eq sunrpc log

access-list 101 deny udp any any eq netbios-ns log

access-list 101 deny udp any any eq netbios-dgm log

access-list 101 deny udp any any eq snmp log

access-list 101 deny udp any any eq snmptrap log

access-list 101 deny udp any any eq 194 log

access-list 101 deny udp any any eq biff log

access-list 101 deny udp any any eq who log

access-list 101 deny udp any any eq 531 log

access-list 101 deny udp any any eq 540 log

access-list 101 deny udp any any eq 541 log

access-list 101 deny udp any any eq 1024 log

access-list 101 deny udp any any eq 2419 log

access-list 101 deny udp any any eq 4733 log

access-list 101 deny udp any any eq 2049 log

access-list 101 deny udp any any eq 31337 log

access-list 101 deny udp any any eq 4000 log

access-list 101 deny tcp any any eq 67 log

access-list 101 deny tcp any any eq 68 log

access-list 101 deny tcp any any eq 69 log

access-list 101 deny tcp any any eq finger log

access-list 101 deny tcp any any eq sunrpc log

access-list 101 deny tcp any any eq 135 log

access-list 101 deny tcp any any eq 137 log

access-list 101 deny tcp any any eq 138 log

access-list 101 deny tcp any any eq 139 log

access-list 101 deny tcp any any eq 161 log

access-list 101 deny tcp any any eq 162 log

access-list 101 deny tcp any any eq irc log

access-list 101 deny tcp any any eq exec log

access-list 101 deny tcp any any eq login log

access-list 101 deny tcp any any eq cmd log

access-list 101 deny tcp any any eq 531 log

access-list 101 deny tcp any any eq 541 log

access-list 101 deny tcp any any eq uucp log

access-list 101 deny tcp any any eq 12345 log

access-list 101 deny tcp any any eq 12346 log

access-list 101 deny tcp any any eq 2001 log

access-list 101 deny tcp any any eq 2002 log

access-list 101 deny tcp any any eq 4000 log

access-list 101 deny tcp any any eq 5190 log

access-list 101 deny tcp any any eq 4001 log

access-list 101 deny tcp any any eq 6001 log

access-list 101 deny tcp any any eq 6002 log

access-list 101 deny udp any any eq 1080 log

access-list 101 deny igmp any any log

access-list 101 deny gre any any log

access-list 101 deny igrp any any log

access-list 101 permit ip any any

Apply this acc with access-group 101 in on Ethernet0, wich is the outside interface of NAT.

Regards.

118
Views
0
Helpful
4
Replies
This widget could not be displayed.