Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Hardware

8 Steps To Protect Your Cisco Router 31

Daniel B. Cid writes "I wrote the article '8 steps to Protect your Cisco router' (PDF). This small text gives to the reader eight steps (very easy to understand) showing how minimize your Cisco router exposure, by turning off some unused services, applying some access control lists and applying some security options available on that."
This discussion has been archived. No new comments can be posted.

8 Steps To Protect Your Cisco Router

Comments Filter:
  • by Anonymous Coward
    This is such a retarded article. How did this make Slashdot? On a related note, check out my article, 1 step to securing Windows 2000. Block all ports.
  • 8 Steps (Score:3, Funny)

    by Ogerman ( 136333 ) on Wednesday November 05, 2003 @12:39AM (#7393793)
    1.) Shut down the router
    2.) Disconnect the power
    3.) Remove all network cables
    4.) Remove router from rack, replacing it with a cheap Linux box with some high-end network cards, a hardened kernel and a good iptables script.
    5.) Return your Cisco router to original styrofoam packaging. Lock it away somewhere safe.
    6.) Your Cisco router is now protected
    7.) ...
    8.) Profit!!
    • Re:8 Steps (Score:2, Funny)

      by Zeio ( 325157 )
      6.) Your Cisco router is now protected

      From the terrible secret of space.
    • Damn straight. I had a Cisco PIX 506E and the thing was rediculously overpriced for what it offered. The manuals that accompany the device were nothing more than IOS command guides (the product guide on CD only vaguely helpful).

      I became a much happier person when I moved to a linux machine with a nice shorewall iptables script.

      There is one thing I have to say about the cisco 506E, it had a form factor that beats the hell out of a plain pc. I would have loved to run linux on it. It was very small/qu
  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Wednesday November 05, 2003 @04:43AM (#7394543)
    Comment removed based on user account deletion
  • by Zocalo ( 252965 ) on Wednesday November 05, 2003 @05:26AM (#7394669) Homepage
    Pretty good primer for all the newbies out there, which is a good thing - we need to create some links and mirrors to get the thing high up on the Google rankings! One thing thing though; in the anti-spoofing section you might want to add the line:

    access-list 111 deny ip 169.254.0.0 0.0.255.255 any

    which is used for APIPA ("Automatic Private IP Addressing", the serverless "DHCP" thing) which a lot of people overlook. Also, while looking for that I spotted that you have the wrong subnet masks for 172.16.0.0 (it's a /12 not a /16) and 192.168.0.0 (it's a /16, not a /8), so you should have:

    access-list 111 deny ip 172.16.0.0 0.15.255.255 any
    access-list 111 deny ip 192.168.0.0 0.0.255.255 any

    Couldn't see anything else obvious to suggest, but I've only scanned it so far.

  • Just stuff a cheap p-box full of nics, load OpenBSD and you can do stuff you can't do with a Cisco box that costs 50 grand.

Whoever dies with the most toys wins.

Working...