index_218
Router Security Configuration Guide
UNCLASSIFIED
218
UNCLASSIFIED
Version 1.0g
to attack other sites, it helps identify mis-configured internal hosts and
networks. This approach may not be feasible for very complicated
networks. [Section 4.3]
East(config)# no access-list 101
East(config)# access-list 101 permit ip 14.2.6.0 0.0.0.255 any
East(config)# access-list 101 deny udp any range 1 65535 any log
East(config)# access-list 101 deny tcp any range 1 65535 any log
East(config)# access-list 101 deny ip any any log
East(config)# interface eth 1
East(config-if)# ip access-group 101 in
East(config-if)# exit
East(config)# interface eth 0
East(config-if)# ip access-group 101 out
East(config-if)# end
11. Turn on the routers logging capability, and use it to log errors and
blocked packets to an internal (trusted) syslog host. Make sure that the
router blocks syslog traffic from untrusted networks. [Section 4.5]
Central(config)# logging buffered
Central(config)# logging trap info
Central(config)# logging facility local1
Central(config)# logging 14.2.9.6
12. Block packets coming from the outside (untrusted network) that are
obviously fake or are commonly used for attacks. This protection should
be part of the overall design for traffic filtering at the router interface
attached to the external, untrusted network. [Section 4.3]
§ Block packets that claim to have a source address of any internal
(trusted) networks. This impedes some TCP sequence number
guessing attacks and related attacks. Incorporate this protection
into the access lists applied to interfaces connected to any
untrusted networks.
§ Block incoming loopback packets (address 127.0.0.1). These
packets cannot be real.
§ If the network does not need IP mult icast, then block it.
§ Block broadcast packets. (Note that this may block DHCP and
BOOTP services, but these services should not be used on
external interfaces.)
§ A number of remote attacks use ICMP redirects, block them. (A
superior but more difficult approach is to permit only necessary
ICMP packet types.)
The example below shows how to enforce these rules on router North.
North(config)# no access-list 107
North(config)# ! block internal addresses coming from outside
North(config)# access-list 107 deny ip 14.2.0.0 0.0.255.255 any log
North(config)# access-list 107 deny ip 14.1.0.0 0.0.255.255 any log
North(config)# ! block bogus loopback addresses