8 Steps To Protect Your Cisco Router - Slashdot

Please create an account to participate in the Slashdot moderation system

×

8 Steps To Protect Your Cisco Router 31

Posted by timothy on Wednesday November 05, 2003 @12:27AM from the tightening-up dept.

Daniel B. Cid writes "I wrote the article '8 steps to Protect your Cisco router' (PDF). This small text gives to the reader eight steps (very easy to understand) showing how minimize your Cisco router exposure, by turning off some unused services, applying some access control lists and applying some security options available on that."

This discussion has been archived. No new comments can be posted.

8 Steps To Protect Your Cisco Router

Load All Comments

Search 31 Comments Log In/Create an Account

Comments Filter:

What a retarded article (Score:1, Funny)

by Anonymous Coward writes:

This is such a retarded article. How did this make Slashdot? On a related note, check out my article, 1 step to securing Windows 2000. Block all ports.
8 Steps (Score:3, Funny)

by Ogerman ( 136333 ) writes: on Wednesday November 05, 2003 @01:39AM (#7393793)

1.) Shut down the router
2.) Disconnect the power
3.) Remove all network cables
4.) Remove router from rack, replacing it with a cheap Linux box with some high-end network cards, a hardened kernel and a good iptables script.
5.) Return your Cisco router to original styrofoam packaging. Lock it away somewhere safe.
6.) Your Cisco router is now protected
7.) ...
8.) Profit!!

Share
twitter facebook
- Re:8 Steps (Score:2, Funny)
  
  by Zeio ( 325157 ) writes:
  
  6.) Your Cisco router is now protected
  
  From the terrible secret of space.
- Cheaper alternatives for most users (Score:2, Interesting)
  
  by JonnyRo88 ( 639703 ) writes:
  
  Damn straight. I had a Cisco PIX 506E and the thing was rediculously overpriced for what it offered. The manuals that accompany the device were nothing more than IOS command guides (the product guide on CD only vaguely helpful).
  
  I became a much happier person when I moved to a linux machine with a nice shorewall iptables script.
  
  There is one thing I have to say about the cisco 506E, it had a form factor that beats the hell out of a plain pc. I would have loved to run linux on it. It was very small/qu
  - - Since when does the 506E support failover (Score:1)
      
      by JonnyRo88 ( 639703 ) writes:
      
      Since when does the 506E support failover?
      
      Also, the lack of "free" for the DES upgrades came from the lack of a support contract, something which i had no control over (i didnt control the budgeting for this unit). And if they are free now, it wasnt free when we used it.
      
      I did not give up on IOS, we used the cisco firwewall at that company until I left, although I did ask for another network admin's help to set it up.
      
      I'd also like to see what you've gotten a 506E to do that linux cant do, i believe
      - Re:Since when does the 506E support failover (Score:1)
        
        by JonnyRo88 ( 639703 ) writes:
        
        Have you used shorewall? The scripts it uses are very readable. There are also several other iptables ruleset generation programs, including one called Firestarter.
        
        I'd be happy to show you how to set up an iptables ruleset if you are having difficulties configuring one.
      - Re:Since when does the 506E support failover (Score:2)
        
        by alsta ( 9424 ) writes:
        
        Or the lack of XFree86 and GNU/GNOME 2.4 on your new shiny GNU/Linux.
the nsa... (Score:3, Interesting)

by REBloomfield ( 550182 ) writes: on Wednesday November 05, 2003 @05:43AM (#7394543)

the nsa(or nsac or whatever they're called) wrote a much better one, coming in at about 300 pages. can't find the url, but it's on their site...

Share
twitter facebook
- - Re:the nsa... (Score:3, Informative)
    
    by Zocalo ( 252965 ) writes:
    
    Not quite. 300 pages to totally lock down a Cisco router regardless of its specific configuration or specification with explainations as to precisely why you want to make the changes and what might happen if you don't. There are also guides to Windows (various versions) and email security too. None for Linux yet, but I suppose that can be summarised as "Install NSA Secure Linux". ;) You can find them here [conxion.com], by the way - well worth a look at some point, even if you don't deal with the specific subject ma
Anti-spoofing section (Score:4, Insightful)

by Zocalo ( 252965 ) writes: on Wednesday November 05, 2003 @06:26AM (#7394669) Homepage

Pretty good primer for all the newbies out there, which is a good thing - we need to create some links and mirrors to get the thing high up on the Google rankings! One thing thing though; in the anti-spoofing section you might want to add the line:
access-list 111 deny ip 169.254.0.0 0.0.255.255 any
which is used for APIPA ("Automatic Private IP Addressing", the serverless "DHCP" thing) which a lot of people overlook. Also, while looking for that I spotted that you have the wrong subnet masks for 172.16.0.0 (it's a /12 not a /16) and 192.168.0.0 (it's a /16, not a /8), so you should have:
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
Couldn't see anything else obvious to suggest, but I've only scanned it so far.

Share
twitter facebook
- - Re:Only one step needed... (Score:2)
    
    by WTFmonkey ( 652603 ) writes:
    
    Gnomes. Gnomes in front of a switchboard, plugging for all they're worth.
Cisco is doomed (Score:2)

by TerryAtWork ( 598364 ) writes:

Just stuff a cheap p-box full of nics, load OpenBSD and you can do stuff you can't do with a Cisco box that costs 50 grand.

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

321 commentsShould a Variable's Type Come After Its Name?
293 commentsAre Scrums a Cancer?
258 commentsC++ Creator Rebuts White House Warning
228 commentsWhite House Urges Devs To Switch To Memory-Safe Programming Languages
226 comments34% of AP CS Students Couldn't Solve This Java-Based 2D Array Question

Saliva causes cancer, but only if swallowed in small amounts over a long period of time. -- George Carlin