Hi, I have this config that is used for our Cisco routers at remote sites. They connect to a Cisco Concentrator. We use 877's, 878's and 1841's and use this attached config (apart from some changes to the internfaces). Any tweaks would be most welcome.
I was just wondering if the config looks ok or coulf be done better. I know nothing is 100% secure, but just want a second opinion. Any IP's that appear as x.x.156.64 or x.x.156.100 are our external public facing IP's of our HQ.
A few lines from me:
1. You may want to enabled "Service Password Encryption"
2. Enabled AES rather than 3DES (I'm not sure whether this router / IOS supports it or not)
3. Are you sure you need IP NBAR? If yes then I would request you to check with your Carrier if they support QoS over Internet otherwise its just an overhead.
4. Finally an easy way to secure router would be to run AutoSecure, very much like Auto Qos.
Hope that helps,
Please rate if its helpful.
This link may be helpful
Please rate if it helps,
- use "enable secret" instead of "enable password"
- use AES-256/SHA instead of 3DES/MD5
- enable "service password-encryption"
- Disable http-server
- disable http secure-server
- put ACL in VTY
- put ACL in NTP
- put ACL in SNMP
See this link for more...
Can Cisco 877 use AES-256/SHA instead of 3DES/MD5?
What's the difference between "enable secret" and "enable password"?
Cisco 870 series routers supports AES for IPSec http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/product_data_sheet0900aecd8028a976_ps380_Products_Data_Sheet.html
I find AES faster than 3DES, I read some document that some of AES implementation is up to 6x faster than 3DES
The encryption scheme of "enable password" is weak. It should not be use in any implementation.
BTW, to add to your security. If you can use AAA for authentication it would be best and only use the local account for emergency and change its password one its has been use. Some procedure put this emergency account name and password in a security envelop and keep in a safe inside data centre and accessible only to few personnel with a sign on/off record.
I'll try and get the 877's to use AES-256/SHA instead of 3DES/MD5
As these are live VPN routers what would be the best was to move them over?
Is that AES-256/SHA change just for the encryption? Below is just an example of one of my configs VPN, what would I change:
crypto isakmp policy 1
crypto isakmp key jgC12345h%1a address *.*.*.*
crypto ipsec transform-set T_Set esp-3des esp-md5-hmac
crypto map Crypto_Map 10 ipsec-isakmp
set peer *.*.*.*
set transform-set T_Set
match address 101
You might also let SDM scan one of your router configs and review its security recommendations.
You don't have to load SDM on the router to use it from a PC.