I read the latest 2600 and it made me nervous. It said there was a way for hackers to attack a cisco router with a flood attack and put it into a mode where all the router will do is route packets and drop its security. The hacker can then pull the config file and have their way with your network.
That being said, I went out and bought the book "Hardening Cisco Routers" and tried to follow it to the best of my abilities. I am just a student, not a professional so, please bear with me.
Here is a copy of my current config:
Current configuration : 1304 bytes
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
enable secret 5
no ip source-route
no ip bootp server
ip address dhcp
no ip proxy-arp
ip nat outside
ip address 192.168.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip nat inside source list 1 interface Ethernet0 overload
no ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
banner login ^C
This system is soley for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide the
results of such monitoring to appropriate officials.
line con 0
line vty 0 4
exec-timeout 0 1
transport input none
I don't see anything in here that will defeat a flood attack. Can anyone offer any suggestions to help make my router even more impervious to attack?
There are thousands of different type of attacks and a different remedy for most of them. I would recommend starting with the basics, which you can do with the router and code you are running. The following is a link to NSA (National Security Agency) with security hardening recommendations for Cisco routers. http://nsa1.www.conxion.com/cisco/download.htm
Different exploits (Code Red Virus for example) took advantage of router's fast switching cache by the amount of connections it would attempt to setup. Enabling CEF would help your router's memory.
After you do your risk assesment and determine what your risk is and what you're trying to protect you might find that you want to look into the Firewall Feature set, TCP-Intercept, CBAC, SSH, and other security enhancements that have been put into IOS.
Here is a link on TCP syn type DOS attacks that might help you:
I did get a copy of the IOS feature set but, I still have to figure out how to use it. :) I am also still trying to figure out the proper use of access lists. If anyone could suggest any good books on either topic, I would be in their debt.
2600 is a scary mag. They make it sound so easy! But, I guess it can't be or the whole internet would ground to a halt.
Of all the networking topics I have studied, security is definitly the most interesting.
A flood Attack is difficult, but there a few things that is the best practice in security. Remember: Attack is not quite that simple, and follow not only availability, but confidentiality and integrity.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...