Thursday, December 27, 2018

Hardening Internet Facing Routers

What special precautions (if any) do you take to secure internet facing routers that go beyond what you do for internal devices? I'm mainly curious to see if there are any gaps in our current methods.

Things we do for all devices (Cisco):

  • Restrict SNMP access to our monitoring hosts

  • Restrict SSH access to our jumpbox subnets

  • Disable 'outbound' SSH from vty connections

  • Disable Telnet, HTTP, and HTTPS access

  • AAA via TACACS+ for vty and console connections

  • Secure physical access to the device

  • Syslogs, traps, and netflow data being sent to centralized servers

Additional steps on internet facing devices:

  • Inbound ACLs to filter traffic sourced from RFC 1918 and our own public blocks.

  • Disable CDP/LLDP

  • Change passwords for local fallback accounts monthly

  • Enable authentication for all eBGP sessions to our ISPs

  • Inbound filters for eBGP sessions to stop our own public blocks from being advertised back to us

  • Disable ICMP redirects and unreachables on internet facing interfaces



No comments:

Post a Comment