index_74
Router Security Configuration Guide
UNCLASSIFIED
74
UNCLASSIFIED
Version 1.0g
Use the log keyword at the end of each deny statement in each extended access list,
as shown in the example below. This feature will pr ovide valuable information
about what types of packets are being denied. Logs of denied packets can be useful
for detection and analysis of probes and attacks against a network. Section 4.5.1
describes IOSs logging features in more detail.
East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any
East(config)# access-list 102 deny ip any any log
Add the following statements at the end of each extended IP access list to deny and to
log any packets that are not permitted. These statements will guarantee that the
router will log the values for the source and destination ports for TCP and UDP
traffic.
East(config)# access-list 100 deny tcp any range 0 65535 any range 0 65535
log
East(config)# access-list 100 deny udp any range 0 65535 any range 0 65535
log
East(config)# access-list 100 deny ip any any log
Finally, due to limited editing capability on the Cisco router, you cannot easily
modify access lists. Thus, whenever you needs to change an access list, it is best to
build it offline on a separate computer. When the access list is ready you can cut and
paste the access list via a connection to the router. Since the original access list is
still on the router, you must purge it before adding the updated access list. Below is
an example of how to clear an access list.
East(config)# no access-list 100
4.3.2. Filtering Traffic to Router Itself
Access lists are used in a variety of ways to control access to services on the router
itself. While it is possible to incorporate access controls for these services into the
access lists placed on interfaces, it is typically easier and more reliable to use the
specialized facilities that IOS makes available to apply access controls directly to the
services themselves. For more information about services on the router, and how to
disable unneeded ones, see Section 4.2.
Remote Login (Telnet) Service
There are a number of methods to filter access to the router itself: vty lines, SNMP
servers and routing protocols. The vty lines are used for remote access to the router.
Typically, a router administrator telnets to one of the vty lines. The following
example shows the configuration of an extended IP access list that is applied to the
vty lines. This simple IP access list allows the hosts with IP addresses 14.2.6.1 and
14.2.6.18 to connect to the router East via Telnet. The list denies all other
connections. It also logs all successful and unsuccessful connections.