In the process of securing Cisco 3640 router, i had decided to implement certain ACLs. I would be starting with Anti spoofing ACLs then implementing ACls to plug different vulnerabilities applicable and in the last ACLs for different virus/DOS attacks.
What i'm worried about is the performance penalty. Can i get any help in what should be the best practice before i go ahead with this so that i could maintain a balance between performance and security.
Also i would appreciate if i could get any documentation on all this.
As you said, you will probably have an access list with all the deny statements then the permit ip any any at the end of the list. I don't think you have to worry about router performance issue. As the matter of fact, when you are under attack, router will drop the packets even before it processes the packet which may save your cpu ulti ( apply for inbound direction).
But if you are talking about IOS firewall, that's another story.
Its just IOS with no firewall etc. My basic aim is is to just allow incoming SMTP and other HTTP/S based established connections. Rest all incoming needs to be denied.
I would be needing comments on this ACL.
1.<-------Antispoofing denials place here--------->
2.permit tcp any internal_network_IP mask established
3.Permit tcp any my_mail_server eq SMTP
And my last ACL would be
4.Deny IP any any.
I thing with this i can have a smaller ACL and hence better performance.
This would just allow the incoming SMTP traffic as my mail server is in my private LAN and its statically Nated.Also only established connections would be allowed.And rest all would be denied. Hence i don't have to plug in different entries for DOS/Virus attacks.
I would advise that you read the NSA/SNAC Router Security Configuration Guide. You can get it at the below url. Good place to start. Just plan accordingly and apply ACL's accordingly, and you won't have a great impact on performance.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :