lat47
Premium
join:2004-07-31
Redmond, WA | Cisco 831 hardened config example?
I'm in the middle of configuring my Cisco 831 router. So far so good. Now it's time to do security. Does anyone have a good example of a hardened config they would be willing to post? One with NAT would be especially helpful.
Thanks,
Kent |
|
aryoba
Premium,MVM
join:2002-08-22
| NAT? For what purpose?
You can check out this Cisco link to configure CBAC (firewall feature on routers).
»www.cisco.com/en/US/products/sw/···606.html
But what do you need the NAT for? |
|
ryn0tech77
@madisontelco.com | reply to lat47
Re: Cisco 831 hardened config example?
you can config CBAC, fine tune the inbound ACL on your internet port, disable a bunch of sevices you don't need/use. then there is passwords and securing telnet/ssh and even some other things. i will post more details later. |
|
ryn0tech77
@madisontelco.com | nat/pat is easy to config too, will post examples for your router later, work is calling lol. |
|
mbruno
join:2003-07-03
Fruitland, MD
 ·Comcast
| reply to aryoba
Re: NAT? For what purpose?
said by aryoba  :
You can check out this Cisco link to configure CBAC (firewall feature on routers).
»www.cisco.com/en/US/products/sw/···606.html
But what do you need the NAT for?
Is the url down? I am getting a Can not find this page message. |
|
lat47
Premium
join:2004-07-31
Redmond, WA
| reply to lat47
Re: Cisco 831 hardened config example?
After a good nights sleep, I made great progress today. Maybe I'm doing this backwards. Maybe it make more sense to post my config and get comments. I am new at this but have done a lot of reading. Not sure if I'm doing things the right way or if I'm just missing some obvious stuff. I'm concerned about security. My old server was hacked into (thus the new router).
My setup:
* Cisco 831 router running 12.3.8 (T3)
* DSL line coming in to router (static ip 218.16.252.187) to Ethernet1 interface.
* Behind router I have about 8 computers on a local area network. Using 10.0.0.0/16 for the local net.
* running a server with web, 2 ftp sites, and mail. All these need to be visible with from the Internet.
I'm using NAT since I have only a single static IP. I've got the CBAC running (thanks for the pointer Aryoba!)
Comments, suggestions, and questions appreciated.
Thanks Kent
!
! Last configuration change at 17:31:07 PDT Wed Aug 25 2004 by fred
! NVRAM config last updated at 17:31:45 PDT Wed Aug 25 2004 by fred
!
version 12.3
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging rate-limit all 30
no logging console
no logging monitor
enable secret 5 ***************************
!
username fred password 7 *********************
clock timezone PST -8
clock summer-time PDT recurring
no aaa new-model
ip subnet-zero
no ip source-route
!
!
no ip bootp server
ip inspect max-incomplete low 175
ip inspect max-incomplete high 250
ip inspect name myFirewall cuseeme timeout 3600
ip inspect name myFirewall ftp timeout 3600
ip inspect name myFirewall http java-list 51 timeout 3600
ip inspect name myFirewall h323 timeout 30
ip inspect name myFirewall realaudio timeout 30
ip inspect name myFirewall tftp timeout 30
ip inspect name myFirewall rcmd timeout 3600
ip inspect name myFirewall smtp timeout 3600
ip inspect name myFirewall vdolive timeout 30
ip inspect name myFirewall streamworks timeout 30
ip inspect name myFirewall rpc program-number 100000
ip inspect name myFirewall udp timeout 15
ip inspect name myFirewall tcp timeout 3600
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Internal network
ip address 10.0.0.1 255.255.0.0
ip access-group InnerDoor in
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
!
interface Ethernet1
description External interface to DSL modem
ip address 218.16.252.187 255.255.255.0
ip access-group MainGate in
ip access-group MainGateOut out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect myFirewall out
ip virtual-reassembly
duplex auto
no cdp enable
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 218.16.252.1
no ip http server
no ip http secure-server
ip nat service list FTPServer ftp tcp port 221
ip nat service list FTPServer ftp tcp port 21
ip nat inside source list NATAddresses interface Ethernet1 overload
ip nat inside source static tcp 10.0.0.2 21 218.16.252.187 21 extendable
ip nat inside source static tcp 10.0.0.2 25 218.16.252.187 25 extendable
ip nat inside source static tcp 10.0.0.2 80 218.16.252.187 80 extendable
ip nat inside source static tcp 10.0.0.2 221 218.16.252.187 221 extendable
!
!
ip access-list standard FTPServer
permit 10.0.0.2
ip access-list standard NATAddresses
permit 10.0.0.0 0.0.255.255
ip access-list standard VTYPermit
permit 10.0.0.0 0.0.255.255
!
ip access-list extended InnerDoor
deny icmp any any redirect
permit ip any any
ip access-list extended MainGate
deny ip 10.0.0.0 0.0.255.255 any log-input
deny ip host 255.255.255.255 any
deny ip any 10.0.0.0 0.0.255.255 log-input
permit icmp any host 218.16.252.187 time-exceeded
permit icmp any host 218.16.252.187 packet-too-big
permit icmp any host 218.16.252.187 unreachable
permit icmp any host 218.16.252.187 traceroute
permit icmp any host 218.16.252.187 echo-reply
permit icmp any host 218.16.252.187 echo log-input
deny icmp any any redirect
deny icmp any any timestamp-request
deny icmp any any information-request
permit tcp any host 218.16.252.187 eq ftp-data
permit tcp any host 218.16.252.187 eq ftp
permit tcp any host 218.16.252.187 eq 220
permit tcp any host 218.16.252.187 eq 221
permit tcp any host 218.16.252.187 eq smtp
permit tcp any host 218.16.252.187 eq www
permit udp host 131.107.1.10 host 218.16.252.187 eq ntp
permit udp host 140.142.16.34 host 218.16.252.187 eq ntp
remark 445 is Sasser
deny tcp any any eq 445 log-input
remark 135 is MSBlaster
deny tcp any any eq 135 log-input
remark 1433 is MS-SQL Hello Buffer overflow
deny tcp any any eq 1433 log-input
deny ip any any log-input
ip access-list extended MainGateOut
permit ip host 218.16.252.187 any
deny ip any any log-input
logging facility local6
logging source-interface Ethernet0
logging 10.0.0.2
access-list 51 permit any
no cdp run
!
control-plane
!
banner exec "
Remember!!!
This system is solely for the use of authorized users for official
purposes.
"
banner login "
WARNING!!!
This system is solely for the use of authorized users for official
purposes.
"
privilege exec level 15 connect
privilege exec level 15 telnet
privilege exec level 15 show ip access-lists
privilege exec level 15 show ip
privilege exec level 15 show access-lists
privilege exec level 15 show logging
privilege exec level 15 show
!
line con 0
login local
no modem enable
transport preferred telnet
transport output telnet
line aux 0
exec-timeout 0 1
login local
no exec
transport preferred none
transport output none
line vty 0 4
access-class VTYPermit in
exec-timeout 5 0
login local
transport preferred telnet
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
sntp server 131.107.1.10
sntp server 140.142.16.34
end
|
|
Ixne
join:2004-03-23
Dearborn, MI
| Just a couple of notes (keep in mind I'm no expert):
>ip access-list extended MainGate
> deny ip 10.0.0.0 0.0.255.255 any log-input
> deny ip host 255.255.255.255 any
> deny ip any 10.0.0.0 0.0.255.255 log-input
wouldn't
deny ip 10.0.0.0 0.255.255.255 any any
do the same thing more effectively? Basically, you don't want anyone spoofing an 10.x.x.x address coming in, and that does the job.
No need to specifically deny Sasser / other worms, since every ACL ends with an implicit DENY.
I'd recommend putting all your PERMITS together and all your DENIES together (Permits before Denies of course) for ease of reading.
Also, the Standard ACLs named aren't used, might as well remove them for cleanliness. 
Comments welcome (I'm still learning this myself)...
Nix |
|
michaelr7
join:2004-03-26
Tucson, AZ
| reply to lat47
Did you try AutoSecure to see what it comes up with? The version of IOS you are running comes with the rollback feature if you need to go back. (As always, save your config before starting something new like AutoSecure.)
Using it -
»www.cisco.com/en/US/partner/prod···101.html
And a white paper about AutoSecure -
»www.cisco.com/en/US/partner/prod···61.shtml |
|
lat47
Premium
join:2004-07-31
Redmond, WA
| reply to lat47
Thanks for the comments and suggestsions. A few points:
Michaelr:
Thanks for the pointer to AutoSecure. I had never even heard of autosecure before. Impressive feature. I ran it and got about 3 pages of changes. Some were useful, others were not. For example it put 77 deny statements in the incoming ACL for reserved ip addresses. This is good but I'm concerned about performance. Do I need to be? When do the lists become too long and slow the router down? How can I tell if the router is slowing down? Is the router fast enough that I don't need to worry about this?
In the end I ran AutoSecure then did a diff on the before and after config files. I found 12 changes I need to make (beside the ACL stuff). I backed out the autosecure changes and applied the 12 changed by hand. All in all a worthwhile exercises.
Ixne:
I have two purposes with the lines:
deny ip 10.0.0.0 0.0.255.255 any log-input
deny ip any 10.0.0.0 0.0.255.255 log-input
The second line blocks packets with a destination address in my internal net. My external ip address is 218.16.252.187 (actually that is the ip address of a guy in China who keeps scanning my system. I edited my real ip address out of the config for security/privacy). My internal net is 10.0.0.0 0.0.255.255. Since I have NAT turned on did not want any packet going through the router with a destination of my internal network. All the packets should have a destination of 218.16.252.187. As as test I tried the following: set up a machine outside my router with an IP of 218.16.252.188. Set that machine to have a default gateway of 218.15.252.187. I then did a ping of 10.0.0.2. The packet went right through the router and showed up on my internal network. Not good. I wanted to add a deny statement to the ACL that said "deny if IP address does not equal 218.16.252.187". I could not find a way to do a deny not equal. Instead I put this one line.
Is this a real concern? Can someone send a packet directly to my interface with a different IP address? I don't know enough about internet routing to know. I could do it in an artificial way. Still, better safe than hacked.
Good point on the Sasser/other worms deny statements. I orginally put these in just to generate logging messages. Later I went back and added "deny ip any any log-input" at the end. The purpose was to generate log messages on any unexpected packet. I was worried orignally that this would generate too many log messages. It has not (maybe a dozen or two per hour). I need to remove the earlier Sasser/etc ones.
Rearranging the permits and denys will not work. I permit several icmp commands then deny all others. If I put the denys first the ones I want would not get through.
Anyway, thanks for the feedback. Comments encouraged. Now if I could only get this VPN stuff working...
Kent |
|
Ixne
join:2004-03-23
Dearborn, MI
2 edits | said by lat47 :
I wanted to add a deny statement to the ACL that said "deny if IP address does not equal 218.16.252.187". I could not find a way to do a deny not equal. Instead I put this one line.
permit host 218.16.252.187 any any
Wouldn't this do it, while DENYing everyone else?
Also, for my own edification, I'm still curious if
deny ip 10.0.0.0 0.255.255.255 any any
wouldn't also solve your spoofing concerns?
Nix... "everyone's favorite passtime, ACLs"  |
|
lat47
Premium
join:2004-07-31
Redmond, WA
| reply to lat47
To your first question, yes and no.
Yes in that
permit host 218.16.252.187 any any
only lets in traffic from 218.16.252.187. I want to filter out packets not to 218.16.252.187. So
permit host any 218.16.252.187
only lets in traffic to that IP address.
No in that I want that to be the first step in a number of checks. As soon as a packet matches a permit or deny line in an ACL, the packet is forwarded on or dropped. The rest of the list does not get processed so all my other checks would not get done.
deny ip 10.0.0.0 0.255.255.255 any any does not solve my spoofing problems. Consider a packet that arrives at the interface 218.16.252.187 with a source of 23.24.25.26 and a destination of 10.0.0.2. This is packet going directly to an host on my internal network circumventing the NAT. Your single line would not filter this packet. The deny ip any 10.0.0.0 0.255.255.255 would filter packet.
So your line would catch the standard source address spoofing. My final line catches destination address spoofing -- if that is what you call this. As stated above I'm not even sure if this is possible. I could only do it from a machine on the same local net. For my ISP there are about 40 machines on the same local net. |
|
kron123
join:2003-05-10
Sierra Vista, AZ
2 edits | reply to lat47
The following is my config (with passwords removed). It utilizes relflected packets. There is no FW config in it. =p Hopefully this will help you.
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname eve
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 [SNIP]
!
username kron123 privilege 15 secret 5 [SNIP]
username public privilege 10 secret 5 [SNIP]
clock timezone PCTime -7
no aaa new-model
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.45.1
ip dhcp excluded-address 172.16.45.124 172.16.45.125
!
ip dhcp pool DHCPpoolLAN_0
network 172.16.45.0 255.255.255.0
dns-server 172.16.45.2 68.2.16.245 68.2.16.30
default-router 172.16.45.1
domain-name eve.kron.cx
netbios-name-server 172.16.45.2
!
ip dhcp pool charon
host 172.16.45.2 255.255.255.0
client-identifier 0100.80c6.f9c6.3f
!
ip dhcp pool moses
host 172.16.45.3 255.255.255.0
client-identifier 0100.0ea6.4204.fb
!
ip dhcp pool balder
host 172.16.45.4 255.255.255.0
client-identifier 0100.07e9.dd6b.41
!
ip dhcp pool xbox
host 172.16.45.5 255.255.255.0
client-identifier 0100.0d3a.0ce6.6d
!
ip dhcp pool skuld
host 172.16.45.6 255.255.255.0
client-identifier 0100.0cf1.2fa5.17
!
ip dhcp pool chikshou
host 172.16.45.7 255.255.255.0
client-identifier 0100.0c6e.27ca.2e
!
ip dhcp pool sokn
host 172.16.45.8 255.255.255.0
client-identifier 0100.07e9.74d1.02
!
ip dhcp pool skuldlan
host 172.16.45.9 255.255.255.0
client-identifier 0100.0ea6.bf8e.15
!
!
ip domain name kron.cx
ip name-server 172.16.45.2
ip name-server 68.2.16.245
ip name-server 68.2.16.30
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
class-map match-all web
match access-group 199
!
!
policy-map qos
class web
bandwidth 128
class class-default
fair-queue
!
!
!
!
!
interface Ethernet0
description *** Internal LAN Interface ***
ip address 172.16.45.1 255.255.255.0
ip access-group 105 in
ip access-group 106 out
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description *** External WAN Interface ***
ip address dhcp
ip access-group infilter in
ip access-group outfilter out
ip nat outside
ip virtual-reassembly
service-policy output qos
duplex auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 172.16.45.2 8088 interface Ethernet1 8088
ip nat inside source static tcp 172.16.45.2 5775 interface Ethernet1 5775
ip nat inside source static tcp 172.16.45.2 5774 interface Ethernet1 5774
ip nat inside source static tcp 172.16.45.2 5773 interface Ethernet1 5773
ip nat inside source static tcp 172.16.45.2 5772 interface Ethernet1 5772
ip nat inside source static tcp 172.16.45.2 5771 interface Ethernet1 5771
ip nat inside source static tcp 172.16.45.2 5770 interface Ethernet1 5770
!
!
ip access-list extended infilter
permit ip host 198.49.185.253 any
permit icmp host 24.255.1.16 any
deny tcp any any range ftp-data telnet
deny tcp any any eq 135
deny tcp any any eq 443
deny tcp any any eq 445
permit udp any eq bootps any eq bootpc
remark *** Begin DNS Permits ***
permit udp host 68.2.16.245 eq domain any
permit udp host 68.2.16.30 eq domain any
remark *** End DNS Permits ***
remark *** Begin Port Forward Permits ***
permit tcp any any eq 5770
remark *** End Port Forward Permits ***
evaluate reflected-packets
deny ip any any log
ip access-list extended outfilter
permit ip any host 198.49.185.253
deny ip any 0.0.0.255 255.255.255.0
permit tcp any any reflect reflected-packets
permit udp any any reflect reflected-packets
permit icmp any any reflect reflected-packets
permit ip any any reflect reflected-packets
deny ip any any log
logging 172.16.45.3
access-list 1 permit 172.16.45.0 0.0.0.255
access-list 105 deny tcp any any eq 135 log
access-list 105 deny tcp any any eq 445 log
access-list 105 permit udp any eq bootpc any eq bootps
access-list 105 remark *** BEGIN Lan party limits ***
access-list 105 permit ip 172.16.45.0 0.0.0.7 any
access-list 105 permit ip 172.16.45.8 0.0.0.1 any
access-list 105 permit ip 172.16.45.124 0.0.0.1 any
access-list 105 deny tcp 172.16.45.0 0.0.0.255 host 207.46.104.20 eq www
access-list 105 permit tcp 172.16.45.0 0.0.0.255 any eq www
access-list 105 permit tcp 172.16.45.0 0.0.0.255 any eq 443
access-list 105 permit tcp 172.16.45.0 0.0.0.255 any eq domain
access-list 105 deny ip 172.16.45.0 0.0.0.255 any log
access-list 105 remark *** END Lan party limits ***
access-list 105 permit ip 172.16.45.0 0.0.0.255 any
access-list 105 deny tcp any any gt 0 log
access-list 105 deny udp any any gt 0 log
access-list 105 deny ip any any log
access-list 106 permit ip 198.49.185.0 0.0.0.255 any
access-list 106 permit ip any 172.16.45.0 0.0.0.255
access-list 106 deny ip any 0.0.0.255 255.255.255.0
access-list 106 deny ip any 0.0.0.0 255.255.255.0
access-list 106 deny udp any any eq 0
access-list 106 deny tcp any any eq 0
access-list 106 deny ip any any log
access-list 155 permit ip host 198.49.185.253 any log
access-list 155 permit ip 172.16.45.0 0.0.0.255 any log
access-list 155 deny ip any any log
access-list 199 permit tcp any any eq www
access-list 199 permit tcp any any eq 443
access-list 199 permit udp any any eq domain
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 3
access-class 155 in
exec-timeout 30 0
password 7 [SNIP]
login local
transport preferred all
transport input all
transport output all
line vty 4
access-class 155 in
exec-timeout 5 0
password 7 [SNIP]
login local
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
|
|
