A.P. Lawrence

Information and Resources for Unix and Linux Systems
Bloggers and the self-employed

Home
Kerio
Sections
- MacOSX
- Linux
- Blogging
- Self-Employment
- Support
Contents
- Most Popular
- Browse All Topics
- Newest Articles
- Random Page
- Surveys
Tests
- Linux
- Mac OS X
- SCO Unix
- Perl
Resources
- Site Forum
- Write for this site
- Find a Consultant
- Contact Info
- RSS Feeds
- Store
- Advertise Here
- Disclaimer
Help
- About
- Rates
- Copyrights
- Contact
- Support

(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Kerio Reseller
Printer Friendly Version

Hardening your Perimeter

By Michael Desrosiers
m3ip Inc.
Email: mdesrosiers@m3ipinc.com
Web Site: http://m3ipinc.com

Last year when the first SNMP (Simple Network Management protocol) exploits came out, we cracked an SNMP write community string of a client that we were testing, enabled TFTP (trivial file transfer protocol), sent the config file of the router over to our TFTP server and installed the required management software. At this point, we could very easily have deleted the Access Control Lists (ACLs), used the system to telnet or ssh to internal network systems, or shut the network down entirely.

Hate these ads?

Compromising a border routing device can lead to total control of a network, either by using privileges learned from the router or by exploiting it and bouncing traffic through another system on its way to it's intended target.

To prevent this from happening, here are several steps that you can take to protect the border of your network. As examples, we will be using a cisco 2500 series router and cisco IOS commands.

Disable services that you do not use

no service udp-small-servers
no service tcp-small-servers
no service finger
no ip httpd server

This disables the finger service (displays user information), the httpd interface (www daemon), discard, echo and chargen (can be used as DDOS generators).

Apply granular rules to your border device

access-list 101 deny tcp any host "router IP" eq 7
access-list 101 deny tcp any host "router IP" eq 9
access-list 101 deny tcp any host "router IP" eq 13
access-list 101 deny tcp any host "router IP" eq 19
access-list 101 deny tcp any host "router IP" eq 23
access-list 101 deny tcp any host "router IP" eq 79

Restricts external access to ports used for re-con attacks.

7=echo
9=discard
13=daytime
19=chargen
23=telnet
79=finger

Restrict telnet access

access-list 103 permit 192.168.1.x
access-list 103 deny any log
line vty 0 4
access-class 103 in
exec-timeout 5 0

With ssh (secure shell, encryption), why telnet (clear text) is still used is beyond the scope of this e-newsletter. But if you must use it, restrict it's access.

Encrypt passwords

enable secret "password"

This is the privileged access path to IOS. Make sure to use the strongest algorithm (md5).

Restrict SNMP access

Need eyes on the ground at your customer's site?
Installation and light training Boston and New England
Reliable and experienced, punctual and professional.

access-list 104 deny udp any any eq snmp
access-list 104 permit ip any any
interface 1/1
access-group 104 in

If you want to shut it down

no snmp-server

This will stop broadcasting of device information on the network.

Block non-routeable IP address

access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 224.0.0.0 7.255.255.255 any
access-list 102 deny icmp any any redirect
access-list 102 deny ip host 0.0.0.0 any
int 1/1
access-group in 102

There you have it. If it is not needed as a service shut it off. To further see what effect this has on the border device, please feel free to run nmap (http://www.insecure.org/nmap/) and nessus (http://www.nessus.org/) in a before and after assessment.

Also a great reference web site can be found at:

http://www.cisecurity.org/bench_cisco.html

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.

Have a safe and Merry Christmas!

Until next year.....

Regards,

Michael Desrosiers
Founder
m3ip, Inc.
1-508-995-4933
mdesrosiers@m3ipinc.com
http://www.m3ipinc.com

Psst - Wanna work for yourself?

Comments

Add your comments

Why no "Digg this!" etc.?

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Printer Friendly Version

Views for this page
Today	This Week	This Month	This Year	Overall
1	7	4	849	4,149

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Printer Friendly Version

More:

- Security

- MDesrosiers

Unix/Linux Consultants

larryi@ccamedical.com SCO OS5, Debian Linux, RedHat Linux, MySQL, Apache, AJAX development using dXport/dL4/Unibasic, Windows Connectivity, Sharing Resouces, Automation, Shell Scripting

http://www.vss3.com SCO/Caldera OpenServer, Unixware & Linux. Tarantella & Non-stop Clustering

http://bcstechnology.net Full service Linux & UNIX systems integrator; Windows to UNIX/Linux Client-Server Specialist; Secure E-Mail & Website Hosting; Thoroughbred Software Developer; Custom Industrial Automation; Hardware & Electronics Experts; In Business Since 1985.

Twitter

Dec 3 14:01
Just went out and added more bungee reinforcement. That ought to hold it..
Dec 3 13:58
I'm second guessing myself on how I bungeed the cover on my golf cart for winter storage. Wondering if high wind could rip it off..

Coming Attractions

My Favorites

Publish your articles, comments, book reviews or opinions here!