[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)

David Barak thegameiam at yahoo.com
Mon Mar 24 09:04:06 EDT 2008 

Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space.  Of course, new IP space is always being allocated all the time, so those filters were quickly out of date.  This might have led to some of the problems experienced by the users in 69/8.

I haven't looked lately, so hopefully that behavior has changed.

-David Barak

Justin Shore wrote: 
> hostname <host>
> ip domain-name <domain.tld>
> crypto key generate rsa modulus 2048
> !
> ip ssh time-out 60
> ip ssh version 2
> ip ssh authentication-retries 3
> !
> service nagle
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime localtime show-timezone
> service password-encryption
> service sequence-numbers
> ip icmp rate-limit unreachable DF 2000
> !
> no ip http server
> no ip http secure-server
> There's a lot more to do.  You should also look into autosecure as well 
> as the "Router Security Strategies" book.  Plus all the config for AAA, 
> VTY, SNMP, NTP, logging, Lock & Key, CoPP, etc.  The Cymru Secure IOS 
> Template is worth looking at too.
> http://www.cymru.com/Documents/secure-ios-template.html
> Justin
> Joseph Jackson wrote:
>> After reading this message it brought to mind the default steps I take whenever a new router is configured for our network.  Here's the list of the stuff I do which I got from the hardening cisco routers book.  What do you guys think?  Should there be anything else? I also try to run ssh on any router that can support it.
>> 
>> GLOBAL CONFIG
>> 
>> no service finger
>> no service pad
>> no service udp-small-servers
>> no service tcp-small-servers
>> service password-encryption
>> service tcp-keepalives-in
>> service tcp-keepalives-out
>> no cdp run
>> no ip bootp server
>> no ip http server
>> no ip finger
>> no ip source-route
>> no ip gratuitous-arps
>> 
>> END GLOBAL CONFIG
>> 
>> 
>> Per Interface Config
>> 
>>  no ip redirects
>>  no ip proxy-arp
>>  no ip unreachables
>>  no ip directed-broadcast
>>  no ip mask-reply
>>  ip cef
>> END Per Interface Config
>> 
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>> bounces at puck.nether.net] On Behalf Of Eric Cables
>>> Sent: Friday, March 21, 2008 2:13 PM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Proxy ARP -- To disable, or not to disable..
>>>
>>> A recent network audit has discovered that Proxy ARP is enabled on
>>> pretty
>>> much every L3 interface in the network.  As a Cisco default, this isn't
>>> surprising, since no template configs have it disabled.
>>>
>>> The question is: whether or not I should go back and disable it, or
>>> just
>>> leave it be, since it doesn't appear to be causing any problems.
>>>
>>> Any feedback would be appreciated.
>>>
>>> --
>>> Eric Cables
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the cisco-nsp mailing list