I'm interested in learning how to make a router interface as secure as possible. For example, consider a router whose main function is to connect a branch to an MPLS WAN, but also has a cable modem on Fa0/1 used for a VPN tunnel when the WAN goes down. I'd like Fa0/1 to be essentially invisible on the Internet, only permitting the required traffic for the VPN tunnel. To be clear, this discussion will not apply to 99% of routers, just to very special-purpose interfaces.
Here's what I've come up with. 169.254.0.1 is a placeholder for the local router's Internet IP address, and 169.254.111.111 is a placeholder for the remote router's Internet IP address:
ip access-list extended internet-in
deny ip any any option any-options
permit ip host 169.254.111.111 host 169.254.0.1
permit icmp any host 169.254.0.1 packet-too-big
ip access-list extended internet-out
deny ip any any option any-options
permit ip host 169.254.0.1 host 169.254.111.111
ip address 169.254.0.1 255.255.0.0
ip access-group internet-in in
ip access-group internet-out out
no ip unreachables
no ip proxy-arp
no cdp enable
(if anyone knows how to get indents to stick, let me know and I'll fix it)
IP options are blocked to prevent spoofed source-routed packets from tunneling through the ACLs.
I just permit the bidirectional traffic based on IP address for now, but may lock it down to certain protocol numbers eventually.
PMTUD packets are speficially permitted from any source.
I want to be invisible to a port scan, so I disable IP unreachables.
Disabling proxy ARP and CDP are probably the least important, since they only impact the local subnet. But they both can leak information about the inside subnets.
There are a few commands I intentionally left out, because the strict ingress filtering makes them irrelevant. (e.g. disabling snmp)
My main concern with this is that I have no way of knowing what else I might be missing. It would be good if there were a Cisco document that documented this scenario. (I basically would like to see an official template of how to make an "invisible" interface, and then backtrack from there.) I was told that creating a post here was the best way of getting to the right people.
Are there any other commands that I should add? Is there a simpler or more foolproof way of doing this? The main thing I don't like about it is that the ACL does not apply to traffic originating from the router itself. (And I don't know exactly what that means either.) One misconfiguration (e.g. enabling RIP) could cause the router itself to start sending unwanted traffic out the interface. I'd like it if I could tell the router to enable the egress filtering even for traffic originating from the router. Then I wouldn't have to worry about figuring out all the protocols that could be active on the interface, disabling them individually.
Or maybe there is an existing Cisco document explaining this scenario?
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...