8 Steps To Protect Your Cisco Router

Daniel B. Cid writes "I wrote the article '8 steps to Protect your Cisco router' (PDF). This small text gives to the reader eight steps (very easy to understand) showing how minimize your Cisco router exposure, by turning off some unused services, applying some access control lists and applying some security options available on that."

What a retarded article

This is such a retarded article. How did this make Slashdot? On a related note, check out my article, 1 step to securing Windows 2000. Block all ports.

Re:What a retarded article

Dont be stupidy! Its a basic article that can help a lot !! Much better than read 8742392 of pages to find the same thing! i liked it!

Re:What a retarded article

And what did you write that was helpful to anyone?

Hey

[Izanagi]

Is this like "2 Step To Protect Your Windows Computer."

1. Turn it off.
2. Lock the room door.

Re:Hey

You forgot fdisk

Terrible

[mcco7614]

This is a shameful excuse for a security document. It may be applicable to small offices with a single router, etc. but to post it here as a be all, end all Cisco security document makes me shudder.

Step 1 to securing a Cisco device or any host for that matter is making sure you're running an OS with no blatant security vulnerabilities.

Okay, that's enough about that.

8 steps to protecting your router

[Dancin_Santa]

1) Don't rest your coffee on the router

2) Keep the cords and wires out of heavy traffic areas

3) Do not fold, spindle, or mutilate

4) Keep out of reach of children

5) Be kind, rewind

6) Do not remove tag under penalty of law

7) No step

8) Lavese las manos, es la ley

8 Steps

[Ogerman]

1.) Shut down the router
2.) Disconnect the power
3.) Remove all network cables
4.) Remove router from rack, replacing it with a cheap Linux box with some high-end network cards, a hardened kernel and a good iptables script.
5.) Return your Cisco router to original styrofoam packaging. Lock it away somewhere safe.
6.) Your Cisco router is now protected
7.) ...
8.) Profit!!

Re:8 Steps

[Zeio]

6.) Your Cisco router is now protected

From the terrible secret of space.

Cheaper alternatives for most users

[JonnyRo88]

Damn straight. I had a Cisco PIX 506E and the thing was rediculously overpriced for what it offered. The manuals that accompany the device were nothing more than IOS command guides (the product guide on CD only vaguely helpful).

I became a much happier person when I moved to a linux machine with a nice shorewall iptables script.

There is one thing I have to say about the cisco 506E, it had a form factor that beats the hell out of a plain pc. I would have loved to run linux on it. It was very small/quiet/light/unobtrusive.

A small disclaimer: I know that with tons of Cisco training you can become a master of these Cisco PIX devices. However I will never forgive cisco for charging for 3DES encryption "upgrades".

A netgear FVS318 VPN firewall has twice the features as this unit for $150, although dont expect huge throughput when using 3DES or AES for vpn tunnels, for that app a 400mhz or greater linux firewall would probably do the trick. They also had buggy firmware in the past, but they seem to be working well with the 1.4 firmware. They have dyndns integration, 8 vpn tunnels, really awesome web based configuration, and a nice professional looking casing. Hooking two of these units together for a vpn is a snap.

Re:Cheaper alternatives for most users tsarkon

you must be an idiot that works in some cheesy place . you know that right?

by the way, idiot, the 3DES shit is FUCKING FREE,

and i quoth CCO:

http://www.cisco.com/kobayashi/sw-center/ciscose cu re/pix.shtml

"*FREE* Register for PIX 56-bit IPSEC Software Feature Key
*Free* Register for a 3DES/AES IPSec Software Feature Key "

does the STARS in front of and behind the FREE make something unclear?

you gave up on the PIX config because you suck i've gotten those things to do quite a bit more than lin-sux can do.

oh yeah, where is the option in linux to setup failover and shit like that?

Warning: Parent link requires login.

Not exactly free, given possible requirements of a support contract login along with that pix.

the nsa...

[REBloomfield]

the nsa(or nsac or whatever they're called) wrote a much better one, coming in at about 300 pages. can't find the url, but it's on their site...

Re:the nsa...

300 pages ??? To say almost the same thing ?

Re:the nsa...

[Zocalo]

Not quite. 300 pages to totally lock down a Cisco router regardless of its specific configuration or specification with explainations as to precisely why you want to make the changes and what might happen if you don't. There are also guides to Windows (various versions) and email security too. None for Linux yet, but I suppose that can be summarised as "Install NSA Secure Linux". ;) You can find them here, by the way - well worth a look at some point, even if you don't deal with the specific subject matter but in the same area.

Anti-spoofing section

[Zocalo]

Pretty good primer for all the newbies out there, which is a good thing - we need to create some links and mirrors to get the thing high up on the Google rankings! One thing thing though; in the anti-spoofing section you might want to add the line:

access-list 111 deny ip 169.254.0.0 0.0.255.255 any

which is used for APIPA ("Automatic Private IP Addressing", the serverless "DHCP" thing) which a lot of people overlook. Also, while looking for that I spotted that you have the wrong subnet masks for 172.16.0.0 (it's a /12 not a /16) and 192.168.0.0 (it's a /16, not a /8), so you should have:

access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any

Couldn't see anything else obvious to suggest, but I've only scanned it so far.

Re:Anti-spoofing section

scan == carefully examined.

You probably mean "I've only skimmed it so far."

(just a fyi, good advice but that error was glaring)

Only one step needed...

..unplug the piece of shit.

Re:Only one step needed...

and use what in it's place?

Re:Only one step needed...

[WTFmonkey]

Gnomes. Gnomes in front of a switchboard, plugging for all they're worth.

Since when does the 506E support failover

[JonnyRo88]

Since when does the 506E support failover?

Also, the lack of "free" for the DES upgrades came from the lack of a support contract, something which i had no control over (i didnt control the budgeting for this unit). And if they are free now, it wasnt free when we used it.

I did not give up on IOS, we used the cisco firwewall at that company until I left, although I did ask for another network admin's help to set it up.

I'd also like to see what you've gotten a 506E to do that linux cant do, i believe you are talking about more expensive gear Anonymous Coward.

Re:Since when does the 506E support failover

PixOS supports failover. The feature set changes slightly per device. The point is, using a hacked script to come up with an unreadable hacked iptables rule set is not a viable replacement for a PIX.

Not having minimal CCO access means you either stole or bought the Cisco equipment off of eBay. It is trivial to gain access to most of the CCO site with a minimal contract. Not having that bare minimum is just being cheap. Complaining about hardware because you are using it improperly is just ridiculous.

IOS and PixOS and CatOS are not the same thing. Don't confuse them.

Given that you work for places that don't have CCO, don't know the difference between IOS and PixOS, and claim that iptables is and some cheesy script vs. a documented, supported environment specifically designed for the purpose does not lend itself to deserving any explanation.

I've yet to see anything like PDM (that actually works) for iptables, how 'bout them apples? And who do you call for support with some cheesy firewall script on Linux?

Re:Since when does the 506E support failover

I didn't know that PIX 506E runs IOS. Apparently, I have been mistaken. It also seems by implication that I have also been under influence of illusion that PIX scales better than Linux.

Of course, now it is apparent that I was wrong about iptables as well. Because the very coherent and intuitive design requires one to make the logical assumption that '-j' means 'masquerade'. I didn't know that the word 'masquerade' contained a 'j' either. But now that I know better, what rest of the world calls 'NAT', is apparently 'masquerading'.

Lovely.

Re:Since when does the 506E support failover

Oh, its so inconvenient to have one software image for a whole suite of PIX devices.

I like compiling kernels and patching a whole UNIX just to get a firewall running!

FUN!

Re:Since when does the 506E support failover

[alsta]

Or the lack of XFree86 and GNU/GNOME 2.4 on your new shiny GNU/Linux.

Re:Since when does the 506E support failover

[JonnyRo88]

Have you used shorewall? The scripts it uses are very readable. There are also several other iptables ruleset generation programs, including one called Firestarter.

I'd be happy to show you how to set up an iptables ruleset if you are having difficulties configuring one.

Re:Since when does the 506E support failover

You would replace a dedicated, warranted, SLA-ed, supported, characterized quality product and form-factor with a hacked box, running a hacked OS that is overkill for the task (not a real time kernel), and notably inefficient ((if you could afford gigabit ethernet interfaces this would be apparent)), and a script in place of NVRAM. Smart. Real smart. Oh, and a hard disk, the most popular point of failure. You need on of those for sure on a critical network component.

No, I dont need help with iptv4 - I have learned know when not to use it (it being both Linux and IPT).

Re:Since when does the 506E support failover

Nope and I never will. I defer your assistance.

-Anonymous Coward

Cisco is doomed

[TerryAtWork]

Just stuff a cheap p-box full of nics, load OpenBSD and you can do stuff you can't do with a Cisco box that costs 50 grand.