index_219
UNCLASSIFIED
Appendices
Version 1.0g
UNCLASSIFIED
219
North(config)# access-list 107 deny ip 127.0.0.1 0.0.0.255 any log
North(config)# ! block multicast
North(config)# access-list 107 deny ip 224.0.0.0 0.0.255.255 any
North(config)# ! block broadcast
North(config)# access-list 107 deny ip host 0.0.0.0 any log
North(config)# ! block ICMP redirects
North(config)# access-list 107 deny icmp any any redirect log
.
.
North(config)# interface eth 0/0
North(config-if)# ip access-group 107 in
13. Block incoming packets that claim to have the same destination and
source address (i.e. a Land attack on the router itself). Incorporate this
protection into the access list used to restrict incoming traffic into each
interface, using a rule like the one shown below (part of the
configuration file for router East). [Section 4.3]
no access-list 102
access-list 102 deny ip host 14.2.6.250
host 14.2.6.250 log
access-list 102 permit ip any any
interface Eth 0/0
ip address 14.2.6.250 255.255.255.0
ip access-group 102 in
14. Prevent the router from unexpectedly forwarding packets with no clear
route by using the global configuration command no ip classless.
[Section 4.2]
15. Proxy ARP is used to set up routes on the fly for internal hosts or subnets
and may reveal internal addresses. Disable it by applying the command
no proxy-arp to each external interface. If proxy ARP is not needed,
disable it on all interfaces. [Section 4.2]
Central(config)# interface eth 0/0
Central(config-if)# no proxy-arp
16. Except on the rarely-seen Cisco 1000 series routers, the HTTP server is
off by default. To be safe, however, include the command no ip
http server in all router configurations. [Section 4.2]
17. To disable the use of subnetting with a zero subnet address (which is
confusing and illegal) include the command no ip subnet-zero in
all router configurations.
18. So that the complete date and time are stamped onto entries in the routers
buffered log, use the global configuration command service
timestamps as shown in the example below. [Section 4.5]