02-14-2008 06:25 AM - edited 03-03-2019 08:42 PM
Hi, I have this config that is used for our Cisco routers at remote sites. They connect to a Cisco Concentrator. We use 877's, 878's and 1841's and use this attached config (apart from some changes to the internfaces). Any tweaks would be most welcome.
Many thanks
I was just wondering if the config looks ok or coulf be done better. I know nothing is 100% secure, but just want a second opinion. Any IP's that appear as x.x.156.64 or x.x.156.100 are our external public facing IP's of our HQ.
02-14-2008 06:56 AM
Hi Whiteford,
A few lines from me:
1. You may want to enabled "Service Password Encryption"
2. Enabled AES rather than 3DES (I'm not sure whether this router / IOS supports it or not)
3. Are you sure you need IP NBAR? If yes then I would request you to check with your Carrier if they support QoS over Internet otherwise its just an overhead.
4. Finally an easy way to secure router would be to run AutoSecure, very much like Auto Qos.
Hope that helps,
Please rate if its helpful.
Kind Regards,
Wilson Samuel
02-14-2008 06:59 AM
Thanks, AutoSecure? What is this?
02-14-2008 08:03 AM
This link may be helpful
Please rate if it helps,
Kind Regards,
Wilson Samuel
02-14-2008 12:03 PM
Thanks, is AES better than MD5 then?
02-17-2008 03:03 AM
Hi,
You can...
- use "enable secret" instead of "enable password"
- use AES-256/SHA instead of 3DES/MD5
- enable "service password-encryption"
- Disable http-server
- disable http secure-server
- put ACL in VTY
- put ACL in NTP
- put ACL in SNMP
See this link for more...
http://www.cymru.com/Documents/secure-ios-template.html
Regards,
Dandy
02-17-2008 07:14 AM
Can Cisco 877 use AES-256/SHA instead of 3DES/MD5?
What's the difference between "enable secret" and "enable password"?
02-17-2008 07:31 AM
Hi,
Cisco 870 series routers supports AES for IPSec http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/product_data_sheet0900aecd8028a976_ps380_Products_Data_Sheet.html
I find AES faster than 3DES, I read some document that some of AES implementation is up to 6x faster than 3DES
The encryption scheme of "enable password" is weak. It should not be use in any implementation.
BTW, to add to your security. If you can use AAA for authentication it would be best and only use the local account for emergency and change its password one its has been use. Some procedure put this emergency account name and password in a security envelop and keep in a safe inside data centre and accessible only to few personnel with a sign on/off record.
Regards,
Dandy
02-17-2008 10:20 AM
I'll try and get the 877's to use AES-256/SHA instead of 3DES/MD5
As these are live VPN routers what would be the best was to move them over?
02-17-2008 10:41 AM
Is that AES-256/SHA change just for the encryption? Below is just an example of one of my configs VPN, what would I change:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key jgC12345h%1a address *.*.*.*
!
!
crypto ipsec transform-set T_Set esp-3des esp-md5-hmac
!
crypto map Crypto_Map 10 ipsec-isakmp
set peer *.*.*.*
set transform-set T_Set
match address 101
02-17-2008 04:29 AM
You might also let SDM scan one of your router configs and review its security recommendations.
More info on SDM: http://www.cisco.com/en/US/products/sw/secursw/ps5318/tsd_products_support_series_home.html
PS:
You don't have to load SDM on the router to use it from a PC.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: