how-to block ads
|
Toma
join:2007-07-19
Hanover Park, IL
| [Config] Quick check of my security settings?
I'm going to use a 2621XM at home with sbc dsl...my IOS supports CBAC, so I set that up. I'm unsure if I still need to setup any access lists, or does CBAC have that covered?
Would I add an acl so people can't spoof my internal address?
Also, the FAQ for CBAC has you putting it outbound on the WAN port, doing searches here, some specify putting it on the lan port? Which way should I do this? Thanks! Jason
I've pasted my config below, any advice would be very helpful.
!
version 12.3
no parser cache
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname ************
!
boot-start-marker
boot-end-marker
!
enable secret 5 ***********************
!
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip inspect audit-trail
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND http
ip inspect name OUTBOUND smtp
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND tftp
ip inspect name OUTBOUND udp
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
no aaa new-model
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description DSL Interface
no ip address
no ip redirects
no ip unreachables
no ip mroute-cache
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
description My LAN Interface
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Dialer1
description DSL Interface
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect OUTBOUND out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *********************************
ppp chap password 7 *******************************
ppp pap sent-username ********************* password 7 **********************
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
!
!
access-list 10 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd �CC
*** ***
�
!
line con 0
exec-timeout 120 0
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 *******************
login local
length 0
transport input none
!
scheduler max-task-time 5000
!
end
System flash directory:
File Length Name/status
1 27469200 c2600-adventerprisek9-mz.123-8.T10.bin
[27469264 bytes used, 5560876 available, 33030140 total]
32768K bytes of processor board System flash (Read/Write) | |
Euphrates
join:2007-04-30
Bellingham, WA
| It seems to be a matter of preference. I know if you run Cisco's SDM on a router and you don't have the inspection outbound on the Outside interface, it tells you you don't have a firewall configured.
I inspect inbound on the inside interface. It's something I've read on these forums actually. If you are going to manipulate traffic, you want to do so as close to the source of the traffic as possible. With that said you would inspect inbound on the inside interface.
Also, you do want to have an access-list on the outside interface denying all inbound traffic (again, manipulating the data at the source interface). I don't remember off the top of my head if you have to allow anything in the access-list first for PPPoE/DHCP client to work correctly but if so, make sure you have that configured as well.
When I configure an access-list inbound on the outside interface, I go by the "allow what's needed and deny everything else" rule of thumb. The fact is, you are probably only going to be required to allow a few things into the router and a "deny ip any any" statement should take care of everything else. I'm not sure if others would agree with me on this type of configuration. Again, my take on it is that if you put a whole bunch of deny statements on your inbound access-list then the router has to parse through each and every rule before it finally matches a rule that's just going to deny that traffic anyway. This can cause performance issues. Everyone will have their preference, you will find out over time which one works for you.
For general security settings, there are a lot of things you can do but may be limited to the IOS version on this router.
Here is a Cisco document on the subject of securing your router:
»www.cisco.com/en/US/tech/tk648/t···48.shtml | |
|
