This section looks into some of the best practices for the router CBAC is configured with. Basic Router Security A router that's used as a firewall needs to be well secured itself. That means that nothing (services) unnecessary should be enabled. In addition, everything that can be password-protected should be password-protected. The following are some important guidelines for setting basic router security: Services Any service that is enabled on the router has the potential to pose a security threat to the router. A determined, hostile party may find ways to misuse the enabled services to access the firewall router and exploit the resources of the router and the network. Here is a general rule of thumb: do not enable any local service (such as Simple Network Managing Protocol [SNMP] or Network Time Protocol [NTP]) that is not required. Local services such as Cisco Discovery Protocol (CDP) and NTP are on by default. So if you do not need these services, turn them off. To turn off CDP, enter the no cdp run global configuration command and to turn off NTP, enter the ntp disable interface configuration command on each interface that does not use NTP. If NTP is essential, configure it only on required interfaces to listen only to certain peers. For local services that are enabled, protect against misuse by configuring the services to communicate only with specific peers, and protect the router by configuring access lists to deny packets for the services at specific interfaces. Disable minor services with no service tcp-small-servers and no service udp-small-servers global configuration commands unless otherwise needed. Directed Broadcast Directed broadcasts can be misused to multiply the power of denial-of-service attacks, because every denial-of-service packet sent is broadcast to every host on a subnet. Furthermore, some hosts have other intrinsic security risks present when handling broadcasts. Directed broadcasts are rarely required by IP networks, hence directed broadcasts should be disabled for all applicable protocols on the CBAC router and on all your other routers in the network. To disable it, use the no ip directed-broadcast global configuration command. Access Control and Password Configure access control before connecting a console port to the network in any way, including attaching a modem to the port. Be aware that a break on the console port may give complete control of the firewall to hackers, even with access control configured. In a non-AAA environment, configure login and password commands. If AAA is configured on the router, be sure to apply the authentication, authorization, and accounting for console port as well. Instead of using Telnet, try using Secure Shell (SSH) and control who can access the router. If you must use Telnet, apply access lists to limit who can use Telnet to access the router, and add password protection to all virtual terminal ports. For privileged access to the firewall, use the enable secret command rather than the enable password command. Hiding Internal Network Configure the no ip proxy-arp command to prevent the internal addresses from being revealed. This is especially important if you do not already have NAT configured to prevent internal addresses from being revealed. Anti-spoofing Configuration The CBAC router should have anti-spoofing access lists. That means you should input access lists on all, or nearly all, interfaces, set up to reject any packet that has a source address that's not expected to be on that interface. For example, if the router is an Internet firewall, it should reject all packets coming from the Internet that claim to be from the private network. Similarly, it should reject all packets coming from the private network with source addresses that aren't part of the private network, because anti-spoofing is not optional in either direction. Disable source routing. For IP, enter the no ip source-route global configuration command. Disabling source routing at all routers can help prevent spoofing. Prevent the firewall from being used as a relay by configuring access lists on any asynchronous Telnet ports. |