I would like to bring part of my conclusions in this document to the attention of the router developers:
I am however aware that also in my list of configuration commands to consider, some errors may be present. The way Cisco reveals a router configuration to its administrators is just too unclear and I do not have, as most other people, the time and the resources to learn everything about it. The only people probably that have enough knowledge to guarantee the correctness of such a list are the IOS developers at Cisco.
My second suggestion is to Cisco to drastically re-engineer IOS in such a way that a configuration file gives a clear view on the detailed behaviour that can be expected from the router.
Probably, it will take several more IOS releases, to reach such a situation. My suggestion on the short term to the Cisco IOS developers is to publish a list of default active services and features and the correct configuration command to disable (and re-enable) them. Ideally this list should be available for all IOS releases (and sub-releases if relevant) but starting with the most recent releases is probably best. These lists should be published at the Cisco web site. Every author, every course leader and every consultant will still have his/her own vision on the best way to secure Cisco routers but at least they will be able to share the real facts on how a Cisco router works.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...