Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
1
Replies

Invisible Router Interface

markdascher
Level 1
Level 1

‎12-14-2011 01:15 PM - edited ‎03-04-2019 02:38 PM

I'm interested in learning how to make a router interface as secure as possible. For example, consider a router whose main function is to connect a branch to an MPLS WAN, but also has a cable modem on Fa0/1 used for a VPN tunnel when the WAN goes down. I'd like Fa0/1 to be essentially invisible on the Internet, only permitting the required traffic for the VPN tunnel. To be clear, this discussion will not apply to 99% of routers, just to very special-purpose interfaces.

Here's what I've come up with. 169.254.0.1 is a placeholder for the local router's Internet IP address, and 169.254.111.111 is a placeholder for the remote router's Internet IP address:

ip access-list extended internet-in
deny ip any any option any-options
permit ip host 169.254.111.111 host 169.254.0.1
permit icmp any host 169.254.0.1 packet-too-big
ip access-list extended internet-out
deny ip any any option any-options
permit ip host 169.254.0.1 host 169.254.111.111
interface FastEthernet0/1
ip address 169.254.0.1 255.255.0.0
ip access-group internet-in in
ip access-group internet-out out
no ip unreachables
no ip proxy-arp
no cdp enable

(if anyone knows how to get indents to stick, let me know and I'll fix it)

  • IP options are blocked to prevent spoofed source-routed packets from tunneling through the ACLs.
  • I just permit the bidirectional traffic based on IP address for now, but may lock it down to certain protocol numbers eventually.
  • PMTUD packets are speficially permitted from any source.
  • I want to be invisible to a port scan, so I disable IP unreachables.
  • Disabling proxy ARP and CDP are probably the least important, since they only impact the local subnet. But they both can leak information about the inside subnets.
  • There are a few commands I intentionally left out, because the strict ingress filtering makes them irrelevant. (e.g. disabling snmp)


My main concern with this is that I have no way of knowing what else I might be missing. It would be good if there were a Cisco document that documented this scenario. (I basically would like to see an official template of how to make an "invisible" interface, and then backtrack from there.) I was told that creating a post here was the best way of getting to the right people.

Are there any other commands that I should add? Is there a simpler or more foolproof way of doing this? The main thing I don't like about it is that the ACL does not apply to traffic originating from the router itself. (And I don't know exactly what that means either.) One misconfiguration (e.g. enabling RIP) could cause the router itself to start sending unwanted traffic out the interface. I'd like it if I could tell the router to enable the egress filtering even for traffic originating from the router. Then I wouldn't have to worry about figuring out all the protocols that could be active on the interface, disabling them individually.

Or maybe there is an existing Cisco document explaining this scenario?

Labels:
0 Helpful
1 Reply 1

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-14-2011 01:24 PM 

permit ip host 169.254.111.111 host 169.254.0.1
permit icmp any host 169.254.0.1 packet-too-big
permit ip host 169.254.0.1 host 169.254.111.111
ip address 169.254.0.1 255.255.0.0

169.254.X.X???   Seriously???

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card