8 Steps To Protect Your Cisco Router

Daniel B. Cid writes "I wrote the article '8 steps to Protect your Cisco router' (PDF). This small text gives to the reader eight steps (very easy to understand) showing how minimize your Cisco router exposure, by turning off some unused services, applying some access control lists and applying some security options available on that."

8 Steps

[Ogerman]

1.) Shut down the router
2.) Disconnect the power
3.) Remove all network cables
4.) Remove router from rack, replacing it with a cheap Linux box with some high-end network cards, a hardened kernel and a good iptables script.
5.) Return your Cisco router to original styrofoam packaging. Lock it away somewhere safe.
6.) Your Cisco router is now protected
7.) ...
8.) Profit!!

Re:8 Steps

[Zeio]

6.) Your Cisco router is now protected

From the terrible secret of space.

Cheaper alternatives for most users

[JonnyRo88]

Damn straight. I had a Cisco PIX 506E and the thing was rediculously overpriced for what it offered. The manuals that accompany the device were nothing more than IOS command guides (the product guide on CD only vaguely helpful).

I became a much happier person when I moved to a linux machine with a nice shorewall iptables script.

There is one thing I have to say about the cisco 506E, it had a form factor that beats the hell out of a plain pc. I would have loved to run linux on it. It was very small/quiet/light/unobtrusive.

A small disclaimer: I know that with tons of Cisco training you can become a master of these Cisco PIX devices. However I will never forgive cisco for charging for 3DES encryption "upgrades".

A netgear FVS318 VPN firewall has twice the features as this unit for $150, although dont expect huge throughput when using 3DES or AES for vpn tunnels, for that app a 400mhz or greater linux firewall would probably do the trick. They also had buggy firmware in the past, but they seem to be working well with the 1.4 firmware. They have dyndns integration, 8 vpn tunnels, really awesome web based configuration, and a nice professional looking casing. Hooking two of these units together for a vpn is a snap.

the nsa...

[REBloomfield]

the nsa(or nsac or whatever they're called) wrote a much better one, coming in at about 300 pages. can't find the url, but it's on their site...

Re:the nsa...

[Zocalo]

Not quite. 300 pages to totally lock down a Cisco router regardless of its specific configuration or specification with explainations as to precisely why you want to make the changes and what might happen if you don't. There are also guides to Windows (various versions) and email security too. None for Linux yet, but I suppose that can be summarised as "Install NSA Secure Linux". ;) You can find them here, by the way - well worth a look at some point, even if you don't deal with the specific subject matter but in the same area.

Anti-spoofing section

[Zocalo]

Pretty good primer for all the newbies out there, which is a good thing - we need to create some links and mirrors to get the thing high up on the Google rankings! One thing thing though; in the anti-spoofing section you might want to add the line:

access-list 111 deny ip 169.254.0.0 0.0.255.255 any

which is used for APIPA ("Automatic Private IP Addressing", the serverless "DHCP" thing) which a lot of people overlook. Also, while looking for that I spotted that you have the wrong subnet masks for 172.16.0.0 (it's a /12 not a /16) and 192.168.0.0 (it's a /16, not a /8), so you should have:

access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any

Couldn't see anything else obvious to suggest, but I've only scanned it so far.