HostedDB - Dedicated UNIX Servers
index_218
Router Security Configuration Guide UNCLASSIFIED 218 UNCLASSIFIED Version 1.0g to attack other sites, it helps identify mis-configured internal hosts and networks.  This approach may not be feasible for very complicated networks. [Section 4.3] East(config)# no access-list 101 East(config)# access-list 101 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 101 deny udp any range 1 65535 any log East(config)# access-list 101 deny tcp any range 1 65535 any log East(config)# access-list 101 deny ip any any log East(config)# interface eth 1 East(config-if)# ip access-group 101 in East(config-if)# exit East(config)# interface eth 0 East(config-if)# ip access-group 101 out East(config-if)# end 11.  Turn on the router’s logging capability, and use it to log errors and blocked packets to an internal (trusted) syslog host. Make sure that the router blocks syslog traffic from untrusted networks. [Section 4.5] Central(config)# logging buffered Central(config)# logging trap info Central(config)# logging facility local1 Central(config)# logging 14.2.9.6 12.  Block packets coming from the outside (untrusted network) that are obviously fake or are commonly used for attacks.  This protection should be part of the overall design for traffic filtering at the router interface attached to the external, untrusted network. [Section 4.3] § Block packets that claim to have a source address of any internal (trusted) networks. This impedes some TCP sequence number guessing attacks and related attacks.  Incorporate this protection into the access lists applied to interfaces connected to any untrusted networks.   § Block incoming loopback packets (address 127.0.0.1).  These packets cannot be real. § If the network does not need IP mult icast, then block it. § Block broadcast packets.  (Note that this may block DHCP and BOOTP services, but these services should not be used on external interfaces.) § A number of remote attacks use ICMP redirects, block them. (A superior but more difficult approach is to permit only necessary ICMP packet types.) The example below shows how to enforce these rules on router North. North(config)# no access-list 107 North(config)# ! block internal addresses coming from outside North(config)# access-list 107 deny ip 14.2.0.0 0.0.255.255 any log North(config)# access-list 107 deny ip 14.1.0.0 0.0.255.255 any log North(config)# ! block bogus loopback addresses