background image
564 Chapter 15: Network Security Technologies
Figure 15-7
Perimeter Router Filtering
Here are some more guidelines for configuring your packet-filter router:
·
When setting passwords for privileged access to the router, use the enable secret
command rather than the enable password command, which does not have as strong an
encryption algorithm. Beware: Even enable secret can be compromised in a short amount
of time with the high-speed CPUs now in existence.
·
Put an alphanumeric password on the console port. Configure the login command with a
username.
·
Think about access control before you connect a console port to the network in any way,
including attaching a modem to either the auxiliary or console port. Be aware that a
BREAK on the console port might give total control of the packet-filter router, even with
access control configured.
·
Apply access lists and password protection to all virtual terminal ports. Use access lists to
limit who can Telnet into your router. Do not use the privilege-level commands. Don't
enable any local service (such as SNMP or NTP) that you don't use. Cisco Discovery
Protocol (CDP) and Network Time Protocol (NTP) are on by default. You should turn
them off if you don't need them.
To turn off CDP, enter the no cdp run global configuration command. To turn off NTP, enter
the ntp disable interface configuration command on each interface not using NTP.
If you must run NTP, configure NTP only on required interfaces, and configure NTP to listen
only to certain peers.
Internet
Perimeter router
Deny vty sessions
Deny TFTP sessions
Deny RFC 1918
addresses
Deny finger service
WWW
server
SMTP
server
Choke router
Disable CDP to Internet
Limit Telnet, TFTP from the
Internet
87200333.book Page 564 Wednesday, August 22, 2001 1:41 PM