[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)

Justin Shore justin at justinshore.com
Mon Mar 24 00:02:50 EDT 2008 

hostname <host>
ip domain-name <domain.tld>
crypto key generate rsa modulus 2048
!
ip ssh time-out 60
ip ssh version 2
ip ssh authentication-retries 3
!
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
ip icmp rate-limit unreachable DF 2000
!
no ip http server
no ip http secure-server

There's a lot more to do.  You should also look into autosecure as well 
as the "Router Security Strategies" book.  Plus all the config for AAA, 
VTY, SNMP, NTP, logging, Lock & Key, CoPP, etc.  The Cymru Secure IOS 
Template is worth looking at too.

http://www.cymru.com/Documents/secure-ios-template.html

Justin


Joseph Jackson wrote:
> After reading this message it brought to mind the default steps I take whenever a new router is configured for our network.  Here's the list of the stuff I do which I got from the hardening cisco routers book.  What do you guys think?  Should there be anything else? I also try to run ssh on any router that can support it.
> 
> GLOBAL CONFIG
> 
> no service finger
> no service pad
> no service udp-small-servers
> no service tcp-small-servers
> service password-encryption
> service tcp-keepalives-in
> service tcp-keepalives-out
> no cdp run
> no ip bootp server
> no ip http server
> no ip finger
> no ip source-route
> no ip gratuitous-arps
> 
> END GLOBAL CONFIG
> 
> 
> Per Interface Config
> 
>  no ip redirects
>  no ip proxy-arp
>  no ip unreachables
>  no ip directed-broadcast
>  no ip mask-reply
>  ip cef
> END Per Interface Config
> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Eric Cables
>> Sent: Friday, March 21, 2008 2:13 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] Proxy ARP -- To disable, or not to disable..
>>
>> A recent network audit has discovered that Proxy ARP is enabled on
>> pretty
>> much every L3 interface in the network.  As a Cisco default, this isn't
>> surprising, since no template configs have it disabled.
>>
>> The question is: whether or not I should go back and disable it, or
>> just
>> leave it be, since it doesn't appear to be causing any problems.
>>
>> Any feedback would be appreciated.
>>
>> --
>> Eric Cables
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list