[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)

Fred Reimer freimer at ctiusa.com
Mon Mar 24 10:13:47 EDT 2008 

Exactly, autosecure is just a macro.  It is always advisable to check the
actual router configuration after it is completed.  The engineer should make
sure they understand how all of the commands implemented, and if they don't
research them and make sure they know of any caveats.

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore
Sent: Monday, March 24, 2008 9:21 AM
To: David Barak
Cc: jjackson at aninetworks.net; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Router security defaults (WAS RE: Proxy ARP -- To
disable, or not to disable..)

Good info.  It's always risky when people add config without knowing 
what it does.  I usually tell people to compare a before and after diff 
of the config of a lab router to see what exactly autosecure did.  Then 
I point them to the online docs to figure out what the the reason was 
behind each of the changes.  It's a good way for folks to learn.  It 
doesn't get much easier than "go research this command to learn what it 
does".  Then they can decide what will or will not work on their 
network.  Everyone should have a lab, even if work won't provide one.

Justin

David Barak wrote:
> Watch out for autosecure: last time I looked, it filtered traffic from a
static list of unallocated IP space.  Of course, new IP space is always
being allocated all the time, so those filters were quickly out of date.
This might have led to some of the problems experienced by the users in
69/8.
> 
> I haven't looked lately, so hopefully that behavior has changed.
> 
> -David Barak
> 
> Justin Shore wrote: 
>> hostname <host>
>> ip domain-name <domain.tld>
>> crypto key generate rsa modulus 2048
>> !
>> ip ssh time-out 60
>> ip ssh version 2
>> ip ssh authentication-retries 3
>> !
>> service nagle
>> no service pad
>> service tcp-keepalives-in
>> service tcp-keepalives-out
>> service timestamps debug datetime msec localtime show-timezone
>> service timestamps log datetime localtime show-timezone
>> service password-encryption
>> service sequence-numbers
>> ip icmp rate-limit unreachable DF 2000
>> !
>> no ip http server
>> no ip http secure-server
>> There's a lot more to do.  You should also look into autosecure as well 
>> as the "Router Security Strategies" book.  Plus all the config for AAA, 
>> VTY, SNMP, NTP, logging, Lock & Key, CoPP, etc.  The Cymru Secure IOS 
>> Template is worth looking at too.
>> http://www.cymru.com/Documents/secure-ios-template.html
>> Justin
>> Joseph Jackson wrote:
>>> After reading this message it brought to mind the default steps I take
whenever a new router is configured for our network.  Here's the list of the
stuff I do which I got from the hardening cisco routers book.  What do you
guys think?  Should there be anything else? I also try to run ssh on any
router that can support it.
>>>
>>> GLOBAL CONFIG
>>>
>>> no service finger
>>> no service pad
>>> no service udp-small-servers
>>> no service tcp-small-servers
>>> service password-encryption
>>> service tcp-keepalives-in
>>> service tcp-keepalives-out
>>> no cdp run
>>> no ip bootp server
>>> no ip http server
>>> no ip finger
>>> no ip source-route
>>> no ip gratuitous-arps
>>>
>>> END GLOBAL CONFIG
>>>
>>>
>>> Per Interface Config
>>>
>>>  no ip redirects
>>>  no ip proxy-arp
>>>  no ip unreachables
>>>  no ip directed-broadcast
>>>  no ip mask-reply
>>>  ip cef
>>> END Per Interface Config
>>>
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>>>> bounces at puck.nether.net] On Behalf Of Eric Cables
>>>> Sent: Friday, March 21, 2008 2:13 PM
>>>> To: cisco-nsp at puck.nether.net
>>>> Subject: [c-nsp] Proxy ARP -- To disable, or not to disable..
>>>>
>>>> A recent network audit has discovered that Proxy ARP is enabled on
>>>> pretty
>>>> much every L3 interface in the network.  As a Cisco default, this isn't
>>>> surprising, since no template configs have it disabled.
>>>>
>>>> The question is: whether or not I should go back and disable it, or
>>>> just
>>>> leave it be, since it doesn't appear to be causing any problems.
>>>>
>>>> Any feedback would be appreciated.
>>>>
>>>> --
>>>> Eric Cables
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
>
____________________________________________________________________________
________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080324/6ea09fab/attachment.bin

More information about the cisco-nsp mailing list