[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)

Justin Shore justin at justinshore.com
Mon Mar 24 09:20:40 EDT 2008 

Good info.  It's always risky when people add config without knowing 
what it does.  I usually tell people to compare a before and after diff 
of the config of a lab router to see what exactly autosecure did.  Then 
I point them to the online docs to figure out what the the reason was 
behind each of the changes.  It's a good way for folks to learn.  It 
doesn't get much easier than "go research this command to learn what it 
does".  Then they can decide what will or will not work on their 
network.  Everyone should have a lab, even if work won't provide one.

Justin

David Barak wrote:
> Watch out for autosecure: last time I looked, it filtered traffic from a static list of unallocated IP space.  Of course, new IP space is always being allocated all the time, so those filters were quickly out of date.  This might have led to some of the problems experienced by the users in 69/8.
> 
> I haven't looked lately, so hopefully that behavior has changed.
> 
> -David Barak
> 
> Justin Shore wrote: 
>> hostname <host>
>> ip domain-name <domain.tld>
>> crypto key generate rsa modulus 2048
>> !
>> ip ssh time-out 60
>> ip ssh version 2
>> ip ssh authentication-retries 3
>> !
>> service nagle
>> no service pad
>> service tcp-keepalives-in
>> service tcp-keepalives-out
>> service timestamps debug datetime msec localtime show-timezone
>> service timestamps log datetime localtime show-timezone
>> service password-encryption
>> service sequence-numbers
>> ip icmp rate-limit unreachable DF 2000
>> !
>> no ip http server
>> no ip http secure-server
>> There's a lot more to do.  You should also look into autosecure as well 
>> as the "Router Security Strategies" book.  Plus all the config for AAA, 
>> VTY, SNMP, NTP, logging, Lock & Key, CoPP, etc.  The Cymru Secure IOS 
>> Template is worth looking at too.
>> http://www.cymru.com/Documents/secure-ios-template.html
>> Justin
>> Joseph Jackson wrote:
>>> After reading this message it brought to mind the default steps I take whenever a new router is configured for our network.  Here's the list of the stuff I do which I got from the hardening cisco routers book.  What do you guys think?  Should there be anything else? I also try to run ssh on any router that can support it.
>>>
>>> GLOBAL CONFIG
>>>
>>> no service finger
>>> no service pad
>>> no service udp-small-servers
>>> no service tcp-small-servers
>>> service password-encryption
>>> service tcp-keepalives-in
>>> service tcp-keepalives-out
>>> no cdp run
>>> no ip bootp server
>>> no ip http server
>>> no ip finger
>>> no ip source-route
>>> no ip gratuitous-arps
>>>
>>> END GLOBAL CONFIG
>>>
>>>
>>> Per Interface Config
>>>
>>>  no ip redirects
>>>  no ip proxy-arp
>>>  no ip unreachables
>>>  no ip directed-broadcast
>>>  no ip mask-reply
>>>  ip cef
>>> END Per Interface Config
>>>
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>>> bounces at puck.nether.net] On Behalf Of Eric Cables
>>>> Sent: Friday, March 21, 2008 2:13 PM
>>>> To: cisco-nsp at puck.nether.net
>>>> Subject: [c-nsp] Proxy ARP -- To disable, or not to disable..
>>>>
>>>> A recent network audit has discovered that Proxy ARP is enabled on
>>>> pretty
>>>> much every L3 interface in the network.  As a Cisco default, this isn't
>>>> surprising, since no template configs have it disabled.
>>>>
>>>> The question is: whether or not I should go back and disable it, or
>>>> just
>>>> leave it be, since it doesn't appear to be causing any problems.
>>>>
>>>> Any feedback would be appreciated.
>>>>
>>>> --
>>>> Eric Cables
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
>       ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
>

More information about the cisco-nsp mailing list