Hardening your Perimeter
Web Site: http://m3ipinc.com
Last year when the first SNMP (Simple Network Management
protocol) exploits came out, we cracked an SNMP write community
string of a client that we were testing, enabled TFTP (trivial file
transfer protocol), sent the config file of the router over to our
TFTP server and installed the required management software. At this
point, we could very easily have deleted the Access Control Lists
(ACLs), used the system to telnet or ssh to internal network
systems, or shut the network down entirely.
Compromising a border routing device can lead to total control
of a network, either by using privileges learned from the router or
by exploiting it and bouncing traffic through another system on its
way to it's intended target.
To prevent this from happening, here are several steps that you
can take to protect the border of your network. As examples, we
will be using a cisco 2500 series router and cisco IOS
Disable services that you do not use
no service udp-small-servers
no service tcp-small-servers
no service finger
no ip httpd server
This disables the finger service (displays user information),
the httpd interface (www daemon), discard, echo and chargen (can be
used as DDOS generators).
Apply granular rules to your border device
access-list 101 deny tcp any host "router IP" eq 7
access-list 101 deny tcp any host "router IP" eq 9
access-list 101 deny tcp any host "router IP" eq 13
access-list 101 deny tcp any host "router IP" eq 19
access-list 101 deny tcp any host "router IP" eq 23
access-list 101 deny tcp any host "router IP" eq 79
Restricts external access to ports used for re-con attacks.
Restrict telnet access
access-list 103 permit 192.168.1.x
access-list 103 deny any log
line vty 0 4
access-class 103 in
exec-timeout 5 0
With ssh (secure shell, encryption), why telnet (clear text) is
still used is beyond the scope of this e-newsletter. But if you
must use it, restrict it's access.
enable secret "password"
This is the privileged access path to IOS. Make sure to use the
strongest algorithm (md5).
Restrict SNMP access
access-list 104 deny udp any any eq snmp
access-list 104 permit ip any any
access-group 104 in
If you want to shut it down
This will stop broadcasting of device information on the
Block non-routeable IP address
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 220.127.116.11 18.104.22.168 any
access-list 102 deny icmp any any redirect
access-list 102 deny ip host 0.0.0.0 any
access-group in 102
There you have it. If it is not needed as a service shut it off.
To further see what effect this has on the border device, please
feel free to run nmap (http://www.insecure.org/nmap/)
and nessus (
(link dead, sorry)
) in a before
and after assessment.
Also a great reference web site can be found at:
(link dead, sorry)
To respond to this or previous newsletters or to inquire about
an on-site presentation, please feel free to call us at
508-995-4933 or email us at [email protected]
Have a safe and Merry Christmas!
Until next year.....
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Michael Desrosiers
© 2012-07-07 Michael Desrosiers