Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Question about securing 806 router

I have a few questions regarding securing interfaces. I have an 806 DSL router and was advised for security purposes to disable ICMP redirects, ICMP directed broadcasts, mask replies, unreachables, and Proxy ARP..among doing other things.

I was told these involve running the specific commands on every interface. My router has an e0, e1 and a dialer1. When I run "show int", I also see 2 virtual-access interfaces. The e1 is the one connected physically to the DSL modem and hence outside, e0 is for my inside network. I notice in the running config that there's an access list which permits icmp echo, echo reply, packet too big, etc.. and it is applied to the dialer1 interface not the e1 which is connected to the modem.

My questions are:

1)If I turn off IMCP directed broadcasts, mask replies, etc.. should I run the commands on just on the dialer interface which is the one that has the ACL applied to, and hence, Im guessing the one that actually faces the internet, or should I apply them on e0 and e1 as well.

2)If I create an access list to block all ICMP packets except for "packet too big" should I still worry about the redirects, mask repliets, etc...or by blocking ICMP packets i take care of that too. Again, which interface should I apply this ACL to? should it be the dialer1 interface or e1 which is the one physically connected to the dsl modem.

Thanks!

Louis

2 REPLIES

Re: Question about securing 806 router

1) At the least turn off icmp directed broadcasts, etc. on all interfaces that face the internet (i.e. e1 and your dialer interface), but you could and probably should also place them on your internal interfaces as well. In the absence of any real need, turn them off on all your interfaces (if for a test you found you needed it, you could turn that feature on temporarily).

2) Use the commands to block redirects/directed broadcasts/etc as well as the acl to block all icmp except for "packet too big". Better safe than sorry. Place the acl on the dialer interface.

Hope it helps.

Steve

New Member

Re: Question about securing 806 router

Thanks, that cleared things up!

Louis

85
Views
0
Helpful
2
Replies
CreatePlease to create content