Summary
This chapter explores the basic configurations and practices that will help prevent the most obvious forms of attack from affecting your network. There are some very specific commands that most, if not all, administrators should employ, at least on their external routers.
No book can possibly tell you exactly how your routers should be configured. If there were, we would all be out of jobs. Every network is different and requires configurations that reflect the organization's unique goals and needs. Use this chapter as a guideline for the options available while setting up your routers. Some of the items discussed should be set on every router, no matter what the circumstances of your particular network. The configuration on other items will depend on the individual variations within networks and what you are trying to accomplish. Knowing the options that are available and how they operate can help administrators protect their networks from most intrusions.
A recurring theme is presented in this chapter that should be carefully considered while configuring routers: If a service is not needed, it should not be run. If a service is needed only on the internal network, do not run it on the external network. This is especially true of ICMP services. Restricting how ICMP messages are handled might protect not only your own network, but also some other administrator's network.
To give a concise overview of the salient configurations explored in this chapter, the following sections show sample configurations that incorporate all of the suggested settings. Remember that some of these commands might not be viable on your routers because of internally used IP addresses and special circumstances within your network. However, they will still serve as a guideline for your configurations. Review the following configurations before moving on to Chapter 3, “Overview of the Cisco Security Solution and the Cisco Secure Product Family.”
Global Commands
no enable password !prevents the older non-secure enable password from being used enable secret level 7 9%ad100gbellisnon !uses a secret password that follows the rules for passwords service router-encryption !encrypts the passwords no cdp enable !prevents CDP from sending information access-list 7 permit 172.30.1.45 access-list 7 permit 10.1.1.53 !sets up access list 7 for use with SNMP access-list 8 permit 172.30.1.45 access-list 8 permit 10.1.1.53 access-list 8 deny any !sets up access list 8 for use with telnet on vty 0 through 4 snmp-server community 85tres76n RO 7 !sets the version 1 community name (use version 2 if possible) snmp-server trap-source Loopback0 snmp-server trap-authentication snmp-server enable traps config snmp-server enable traps envmon snmp-server enable traps bgp snmp-server enable traps frame-relay !sets the SNMP traps snmp-server contact Joe Admin [[email protected]] snmp-server location main server room router 8 !sets the contact information following the password rules snmp-server host 172.30.1.45 85tres76n snmp-server host 10.1.1.53 85tres76n !sets what servers may request SNMP information snmp-server tftp-server-list 7 !sets a valid SNMP TFTP server no ntp enable !stops unneeded NTP services no service finger !stops finger service no service pad !old command dealing with x.25 no service udp-small-servers no service tcp-small-servers !stops the small server services no ip directed-broadcast !stops directed broadcasts no ip proxy-arp !prevents answering ARP requests in proxy mode for another device no ip source-route !prevents outside entities from directing the routes a packet takes
Interface Commands
!apply to both inside and outside interfaces no ip redirects !do not send packets out the same interface they came in on no ip unreachable !do not respond with host unreachable messages access-list 191 deny ip host 0.0.0.0 any access-list 191 deny ip 10.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 191 deny ip 127.0.0.0 0.255.255.255 255.0.0.0 0.255.255.255 access-list 191 deny ip 169.254.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 191 deny ip 172.16.0.0 0.15.255.255 255.240.0.0 0.15.255.255 access-list 191 deny ip 192.0.2.0 0.0.0.255 255.255.255.0 0.0.0.255 access-list 191 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255 access-list 191 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 access-list 191 deny ip any 255.255.255.128 0.0.0.127 access-list 191 permit ip any any !do not route to any of the private networks
vty Commands
line vty 0 4 access-class 8 in !sets access list 8 to limit Telnet access exec-timeout 5 0 !automatically times out the Telnet connection after 5 minutes of no activity