Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
250
Views
0
Helpful
2
Replies

Question about securing 806 router

lbogiani
Level 1
Level 1

‎02-05-2003 08:43 PM - edited ‎03-02-2019 04:50 AM

I have a few questions regarding securing interfaces. I have an 806 DSL router and was advised for security purposes to disable ICMP redirects, ICMP directed broadcasts, mask replies, unreachables, and Proxy ARP..among doing other things.

I was told these involve running the specific commands on every interface. My router has an e0, e1 and a dialer1. When I run "show int", I also see 2 virtual-access interfaces. The e1 is the one connected physically to the DSL modem and hence outside, e0 is for my inside network. I notice in the running config that there's an access list which permits icmp echo, echo reply, packet too big, etc.. and it is applied to the dialer1 interface not the e1 which is connected to the modem.

My questions are:

1)If I turn off IMCP directed broadcasts, mask replies, etc.. should I run the commands on just on the dialer interface which is the one that has the ACL applied to, and hence, Im guessing the one that actually faces the internet, or should I apply them on e0 and e1 as well.

2)If I create an access list to block all ICMP packets except for "packet too big" should I still worry about the redirects, mask repliets, etc...or by blocking ICMP packets i take care of that too. Again, which interface should I apply this ACL to? should it be the dialer1 interface or e1 which is the one physically connected to the dsl modem.

Thanks!

Louis

Labels:
0 Helpful
2 Replies 2

steve.barlow
Level 7
Level 7

‎02-06-2003 06:06 AM

1) At the least turn off icmp directed broadcasts, etc. on all interfaces that face the internet (i.e. e1 and your dialer interface), but you could and probably should also place them on your internal interfaces as well. In the absence of any real need, turn them off on all your interfaces (if for a test you found you needed it, you could turn that feature on temporarily).

2) Use the commands to block redirects/directed broadcasts/etc as well as the acl to block all icmp except for "packet too big". Better safe than sorry. Place the acl on the dialer interface.

Hope it helps.

Steve

0 Helpful

lbogiani
Level 1
Level 1
In response to steve.barlow

‎02-06-2003 10:17 PM

Thanks, that cleared things up!

Louis

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents