Secure Perimeter Routers & Disable Services & Logging

Ingress and Egress Filtering

The ingress filtering blocks the packets outside the network with a source address inside the network. This helps to prevent an outside attacker spoofing the address of an internal machine.


The egress filtering  blocks the packets from inside the network containing a source address that is not inside. This helps to prevent an attacker within the network from launching IP spoofing attacks against external machines.


The diagram below shows the topology of the Cisco IOS router's ingress/egress filtering in a typical corporate network.

Access List Directional Filtering

The Cisco IOS ACL is used to define traffic. Once that traffic is defined, some action can then be taken on that traffic.

Commonly, an ACL is associated with the filtering of IP packets (Network Layer 3 of the OSI Model) as they pass through a router. In other words, it is used to permit or deny traffic through a router. However, if you just define the ACL only and don’t apply it to an interface using the access-group command, nothing happens.

The diagram below shows the topology of the Cisco IOS router's ACL filtering in a typical corporate network.

IOS Firewall Router

Context-Based Access Control (stateful traffic inspection)

CBAC is a stateful firewall which keeps track the state of network connections such as TCP and UDP traffic travelling across it. It creates opening in the ACLs at the interfaces that inspect the traffic by adding a temporary ACL entry for a specific session.


The openings are created when the internal network starts a session with the outside network that would normally be denied. The traffic is only allowed back through the firewall if it is part of the same session and has the correct properties that CBAC is looking for.


Authentication proxy

The HTTP-based authentication proxy provides dynamic, per-user authentication and authorization via TACACS+ and RADIUS protocols.


The diagram below is an example of the HTTP-based authentication proxy.

Intrusion Detection

Acts as an in-line intrusion detection sensor.
When a packet or packets match a signature, it can perform any of the following configurable actions:

• Alarm—Send an alarm to a Cisco IDS Director or Syslog server.
• Drop—Drop the packet.
• Reset—Send TCP resets to terminate the session.

It can Identifies up to 100 common attacks depending on release.

Securing Cisco Routers by Disabling Unused Services

Disable bootp Server
Test(config)# no ip bootp server
Disable CDP
Test(config)#no cdp run
Disable ip classless
Test(config)#no ip classless
Disable DNS lookup
Test(config)#no ip domain-lookup
Disable finger service
Test(config)#no ip finger
Disable HTTP
Test(config)#no ip http server
Disable ip mask-reply
Test(config-if)#no ip mask-reply
Disable IP-Directed Broadcast
Test(config-if)#no ip directed-broadcast
Disable IP Source Routing
Test(config)#no ip source-route
Disable IP Unreachable
Test(config-if)#no ip unreachables
Disable Small Servers
Test(config)#no service tcp-small-servers
Test(config)#no service udp-small-servers

Router Management (logging)

Event logging provides you visibility into the operation of a Cisco IOS device and the network into which it is deployed. Cisco IOS software provides several flexible logging options that can help achieve the network management and visibility goals of an organization.

Log Severity Levels:

Types of Logging method:

Console
Buffered
Terminal Line
Syslog
SNMP


Log Message Format:

References:

http://en.wikipedia.org/wiki/IP_address_spoofing
http://www.techrepublic.com/blog/networking/what-you-need-to-know-about-cisco-ios-access-list-filtering/536
http://ciscoskills.net/2011/02/22/understanding-cbac
http://www.debianadmin.com/securing-cisco-routers-by-disabling-unused-services.html
OLIVE INKS teaching materials