Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Additional Security Commands to Harden an Internet Exposed Router

What commands would you suggest to add to a router that is exposed to the Internet to keep it from being attacked?

I have been given the following suggestions:

1) Add an access-class list to line vty 0 4 to ONLY allow for internal users to telnet to the router.

2) add command "no ip source-route" in global

3) add "no ip finger"

4) add the following to Internet interface:

ip verify unicast reverse-path

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no cdp enable

3 REPLIES
New Member

Re: Additional Security Commands to Harden an Internet Exposed R

The National Security Agency has published an excellent document describing Cisco routers hardening. I would stronly recommend you to read this document and take the information that applies to your environment. You can find the document at http://nsa2.www.conxion.com/cisco/index.html

New Member

Re: Additional Security Commands to Harden an Internet Exposed R

Thank you for posting such a valuable resource. Anyway who takes network security seriously should read this document.

New Member

Re: Additional Security Commands to Harden an Internet Exposed R

A couple you may want to add is service password encryption. Also, I like to set up a null device and route all non-routable addresses to the null interface. You can add no ip mask-reply (it may be set this way by default). Another idea is to add the encryption module for the router/switch and use SSH and scrap telnet and authenticate from a TACACS server. Depending on the traffic passing through the router and how much memory you have, enabling TCP intercept is a good idea. (The last one can be dangerous depending on your environment)

240
Views
0
Helpful
3
Replies
CreatePlease to create content