Re: Additional Security Commands to Harden an Internet Exposed R

patrick.hurley · ‎10-02-2001

What commands would you suggest to add to a router that is exposed to the Internet to keep it from being attacked?

I have been given the following suggestions:

1) Add an access-class list to line vty 0 4 to ONLY allow for internal users to telnet to the router.

2) add command "no ip source-route" in global

3) add "no ip finger"

4) add the following to Internet interface:

ip verify unicast reverse-path

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no cdp enable

rrbleeker · ‎10-03-2001

The National Security Agency has published an excellent document describing Cisco routers hardening. I would stronly recommend you to read this document and take the information that applies to your environment. You can find the document at http://nsa2.www.conxion.com/cisco/index.html

mweddle · ‎10-09-2001

Thank you for posting such a valuable resource. Anyway who takes network security seriously should read this document.

thompson · ‎10-03-2001

A couple you may want to add is service password encryption. Also, I like to set up a null device and route all non-routable addresses to the null interface. You can add no ip mask-reply (it may be set this way by default). Another idea is to add the encryption module for the router/switch and use SSH and scrap telnet and authenticate from a TACACS server. Depending on the traffic passing through the router and how much memory you have, enabling TCP intercept is a good idea. (The last one can be dangerous depending on your environment)

Additional Security Commands to Harden an Internet Exposed Router