Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Does this router config look secure enough?

Hi, I have this config that is used for our Cisco routers at remote sites. They connect to a Cisco Concentrator. We use 877's, 878's and 1841's and use this attached config (apart from some changes to the internfaces). Any tweaks would be most welcome.

Many thanks

I was just wondering if the config looks ok or coulf be done better. I know nothing is 100% secure, but just want a second opinion. Any IP's that appear as x.x.156.64 or x.x.156.100 are our external public facing IP's of our HQ.

10 REPLIES

Re: Does this router config look secure enough?

Hi Whiteford,

A few lines from me:

1. You may want to enabled "Service Password Encryption"

2. Enabled AES rather than 3DES (I'm not sure whether this router / IOS supports it or not)

3. Are you sure you need IP NBAR? If yes then I would request you to check with your Carrier if they support QoS over Internet otherwise its just an overhead.

4. Finally an easy way to secure router would be to run AutoSecure, very much like Auto Qos.

Hope that helps,

Please rate if its helpful.

Kind Regards,

Wilson Samuel

New Member

Re: Does this router config look secure enough?

Thanks, AutoSecure? What is this?

Re: Does this router config look secure enough?

New Member

Re: Does this router config look secure enough?

Thanks, is AES better than MD5 then?

Re: Does this router config look secure enough?

Hi,

You can...

- use "enable secret" instead of "enable password"

- use AES-256/SHA instead of 3DES/MD5

- enable "service password-encryption"

- Disable http-server

- disable http secure-server

- put ACL in VTY

- put ACL in NTP

- put ACL in SNMP

See this link for more...

http://www.nsa.gov/snac/

http://www.cymru.com/Documents/secure-ios-template.html

Regards,

Dandy

New Member

Re: Does this router config look secure enough?

Can Cisco 877 use AES-256/SHA instead of 3DES/MD5?

What's the difference between "enable secret" and "enable password"?

Re: Does this router config look secure enough?

Hi,

Cisco 870 series routers supports AES for IPSec http://www.cisco.com/en/US/prod/collateral/routers/ps380/ps6200/product_data_sheet0900aecd8028a976_ps380_Products_Data_Sheet.html

I find AES faster than 3DES, I read some document that some of AES implementation is up to 6x faster than 3DES

The encryption scheme of "enable password" is weak. It should not be use in any implementation.

BTW, to add to your security. If you can use AAA for authentication it would be best and only use the local account for emergency and change its password one its has been use. Some procedure put this emergency account name and password in a security envelop and keep in a safe inside data centre and accessible only to few personnel with a sign on/off record.

Regards,

Dandy

New Member

Re: Does this router config look secure enough?

I'll try and get the 877's to use AES-256/SHA instead of 3DES/MD5

As these are live VPN routers what would be the best was to move them over?

New Member

Re: Does this router config look secure enough?

Is that AES-256/SHA change just for the encryption? Below is just an example of one of my configs VPN, what would I change:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key jgC12345h%1a address *.*.*.*

!

!

crypto ipsec transform-set T_Set esp-3des esp-md5-hmac

!

crypto map Crypto_Map 10 ipsec-isakmp

set peer *.*.*.*

set transform-set T_Set

match address 101

Super Bronze

Re: Does this router config look secure enough?

You might also let SDM scan one of your router configs and review its security recommendations.

More info on SDM: http://www.cisco.com/en/US/products/sw/secursw/ps5318/tsd_products_support_series_home.html

PS:

You don't have to load SDM on the router to use it from a PC.

150
Views
0
Helpful
10
Replies
CreatePlease to create content