Edge Router-Security

Similar Messages

• IS IPSEC FEATURE REQUIRED IN THE CUSTOMER EDGE ROUTER ?

  Hi folks,
  In the context of the IPVPN (MPLS), is the customer edge router has to
  support IPSEC?
  Thanks,
  ConceptZone

  Hi
  But most of the bankings always require additional security for their last mile connections. And IPSec is always their choice, but they need to upgrade all CEs in order to run IPSec.
  jasrine47
  http://ciscorouterconfig.blogspot.com/

• Internet Edge Router and the Firewall

  What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?
  We want to pull more information from the edge router like netflow.  We can use SNMPv3 and ACLs to keep the router secure.
  But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.
  I am running an ASA and a 2821.

  I'd start with locking down the router configuration if you haven't already. Cisco Configuration Professional (free) offers a nice GUI for analyzing and delivering all the necessary commands to secure the router.
  Getting Netflow from your router doesn't add much more than getting it from your ASA.
  If you're querying through the firewall to the routers using SNMPv3 (and have deleted the v1/v2 communities) that's one good step. The only other thing I might suggest is sending syslogs to your management system from the router. To do that you'll need to add an access-list and probably a NAT entry to your firewall to allow the incoming syslog traffic.
  Most important beyond all the technology is to make sure that your people follow a process to regularly analyze and act upon the information being reported and gathered. Without that all the rest isn't worth the time it take to implement it.

• Is it recommended to use HSRP or multiple default between Core Layer Switch and Customer Edge Router?

  My client is asking me for following
  Client is using Router as edge device. 2  WAN links from different service provider ( each 20 Mbps)  are getting terminated on the router. There are internal servers present in the network. Client want to make setup such that even if one wan link fails  internet users should be able to access web server. Moreover if the edge router fails there should be secondary edge device so that there is device redundancy ?
  As per my understanding, in this scenario we need to do static one - to - one natting(belonging to WAN interface subnet). If we use two routers as Customer edge ans if we connect core layer switch to these two router, is it recommended to use HSRP/VRRP/GLBP or two default route on core switch pointing to two routers with equal ad value. we will also track the wan link with help of ip sla.
  which is recommended solution  Router redundancy protocol or Default routes.?

  Just had another read of this post and some other points have come up.
  1) I assumed your secondary link was for redundancy but you talk about terminating both SP links on the same router in your first paragraph.
  Did you mean this or are you going to be terminating a link per router ?
  2) are you using the second router purely for backup ?
  3) something you didn't ask about but is relevant is the IP addressing. Are you using provider independent addressing or does each SP provide you with an address block.
  If it is the second then you are going to have an issue with the web server. The problem is which provider's IP do you use for the web server ie.
  if you use the primary provider IP then that will be the DNS record on the internet. If the primary router fails then the IP address will change on the secondary router but DNS will still be handing out the primary IP.
  If you enter both IPs (primary and secondary) into DNS then you would get load balancing but this means both links will be used and the secondary would not just be backup.
  In addition if one of the links fails then DNS does not know this so it will still be handing out the failed address as well as the address that is still up which means some connections will work and some won't.
  Jon

• Security Router: Best and cheap recommendation for a home router (security bundled)

  Security Router: Best and cheap recommendation for a home router (security bundled), to practice commands and all CCSP configurations.
  Wireless needed, 802.11N preferred
  Looking for the all in an appliance solution, and maybe compatible with future Unified Communications acquisition like a UC500 maybe...
  Please, please, please...

  At the moment checking these two options:
  SR520W-FE-K9
  CISCO881W-GN-A-K9
  Fast Ethernet

• Looking for config example for qos marking on IOS edge router for UCCE

                     I was going through the UCCE SRND for QOS config, and found the following sample, wondering if someone can provide a tested config example to configur the QOS on edge router for UCCE.
  access-list 100 permit tcp host Public_High_IP any
  access-list 100 permit tcp any host Public_High_IP
  access-list 101 permit tcp host Public_NonHigh_IP any
  access-list 101 permit tcp any host Public_NonHigh_IPSecond, classify the traffic using a class map:class-map match-all ICM_Public_High
  match access-group 100
  class-map match-all ICM_Public_Low
  match access-group 101
  policy-map ICM_Public_Marking
  class ICM_Public_High
  set ip dscp af31
  class ICM_Public_Low
  set ip dscp af11Finally, apply the marking policy to the incoming interface:interface mod/port
  service-policy input ICM_Public_Marking

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  If you're going to use only two queues, and if you want to guarantee the one queue 35% of your egress bandwidth, you need to assign your two queues the ratio of 65:35; you'll need to adjust the four queue percentages to provide those two queues the same ratio.  Ideally you'll want something like share 0 65 35 0, but if you cannot assign zero, something like 40 13 7 40, 20 39 21 20, 10 52 28 10 should do.

• Deny ICMP to Edge Router

  I am looking for an ACL I can put on my edge router to deny ICMP and telnet to my WAN port. The network has an internal firewall that is protecting the network but I think I should also deny access to my router from the outside. thanks in advance

  Along with Jorges link, here's an ACL that conforms to DIACAP certification.
  ip access-list extended [ACL Name]
  remark Allow BGP
  permit tcp host [BGP Neighbor] eq bgp host [Local BGP Interface]
  permit tcp host [BGP Neighbor] host [Local BGP Interface] eq bgp
  remark Deny Historical Broadcast
  deny ip 0.0.0.0 0.255.255.255 any log
  remark Broadcast
  deny ip host 255.255.255.255 any log
  remark Local Host
  deny ip 127.0.0.0 0.255.255.255 any log
  remark Private Network
  deny ip 10.0.0.0 0.255.255.255 any log
  remark Link Local Networks
  deny ip 169.254.0.0 0.0.255.255 any log
  remark Test Net
  deny ip 192.0.2.0 0.0.0.255 any log
  remark Private Network
  deny ip 192.168.0.0 0.0.255.255 any log
  remark Class D Reserved
  deny ip 224.0.0.0 15.255.255.255 any log
  remark Class E Reserved
  deny ip 240.0.0.0 15.255.255.255 any log
  remark Private Network
  deny ip 172.16.0.0 0.15.255.255 any log
  remark HP Printer Default IP Address
  deny ip 192.0.0.0 0.0.0.255 any log
  remark IANA NS Lab
  deny ip 192.0.127.0 0.0.0.255 any log
  remark IANA Reserved
  deny ip 192.0.0.0 0.0.0.128 any log
  remark Unallocated / IANA Reserved
  deny ip 1.0.0.0 0.255.255.255 any log
  deny ip 2.0.0.0 0.255.255.255 any log
  deny ip 5.0.0.0 0.255.255.255 any log
  deny ip 7.0.0.0 0.255.255.255 any log
  deny ip 23.0.0.0 0.255.255.255 any log
  deny ip 27.0.0.0 0.255.255.255 any log
  deny ip 31.0.0.0 0.255.255.255 any log
  deny ip 36.0.0.0 0.255.255.255 any log
  deny ip 37.0.0.0 0.255.255.255 any log
  deny ip 39.0.0.0 0.255.255.255 any log
  deny ip 42.0.0.0 0.255.255.255 any log
  deny ip 77.0.0.0 0.255.255.255 any log
  deny ip 78.0.0.0 0.255.255.255 any log
  deny ip 79.0.0.0 0.255.255.255 any log
  deny ip 92.0.0.0 0.255.255.255 any log
  deny ip 180.0.0.0 0.255.255.255 any log
  deny ip 197.0.0.0 0.255.255.255 any log
  deny ip 255.0.0.0 0.255.255.255 any log
  remark Inbound from Own Subnet
  deny ip [Your Public Address Space] any log
  remark Block Traceroute
  deny ip any any option traceroute log
  deny tcp any any eq 27665 log
  deny udp any any eq 31335 log
  deny udp any any eq 27444 log
  deny udp any any eq 31337 log
  deny udp any any eq 31338 log
  deny tcp any any eq 16660 log
  deny tcp any any eq 65000 log
  deny tcp any any eq 33270 log
  deny tcp any any eq 39168 log
  deny tcp any any eq 47017 log
  deny tcp any any range 6711 6712 log
  deny tcp any any eq 6776 log
  deny tcp any any eq 6669 log
  deny tcp any any eq 2222 log
  deny tcp any any eq 7000 log
  deny tcp any any eq 65301 log
  remark Allow Specific ICMP
  permit icmp any host [Local Host for ICMP] echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  permit icmp any any time-exceeded
  remark Deny all other ICMP
  deny icmp any any log
  remark Allow Traffic to Public Network
  permit ip any [Your Public Address Space]
  remark Deny all other Traffic
  deny ip any any log
  This does change occasionally, the most recent version is always at
  http://kb.packetpros.com/?View=entry&EntryID=10
  HTH

• Traffic Policing on Service Provider Edge router.

  Hi,
  I'm confused about the traffic policing on service provider edge router. Suppose I have taken internet bandwidth from my ISP and he says that they will give me 100 Mbps bandwidth burstable upto 1Gbps. What does that mean? what is burstable here?
  I would appreiciate if anyone from service provider organization, can give a output of their edge router's running config. I just have to understand how the police our traffic. Here I'm talking about the Internet leased lines.

  This is probably something you will have to get your service provider to answer. Different service providers use the term burst in a different context. Some SP's are "NICE' and will setup no policer or shaper and will purely monitor the link for fair use allowing you to exceed what you have purchased as long as you don’t abuse the privilege. Other Serves providers may setup a dual rate policer with a CIR and a PIR to achieve the same. a 3rd scenario is as explained above where the SP will setup a policer for 100Mb/s and then calculate the burst value at 1/8 of a second (or less in some cases) which allows your traffic to burst to full line rate for that time slice,
  There are other scenarios but the point I’m trying to make is that service providers don’t all do this the same way which is why you should ask them what they mean and how long your traffic would be allowed to burst to line rate.
  PJ

• Should I block icmp on my edge router or my firewall?

  Originally, we were blocking icmp traffic on our edge router (2811), but recently we changed this to block on the firewall (ASA) instead. I've been told that blocking on the router would cause too much overhead on the router, since it's now having to inspect all traffic, and the firewall was better equipped for this.
  What is industry standard? What does Cisco recommend?

  Something like this, although I would recommend posting this to the firewall forum for confirmation.
  ! deny non-initial ICMP Fragments
  access-list 101 deny icmp any any fragments
  ! permit "dest unreachable" messages
  access-list 101 permit icmp any any 3
  ! permit "Time exceeded" message
  access-list 101 permit icmp any any 11
  ! permit "source quench" message
  access-list 101 permit icmp any any 4
  ! permit "parameter problem" message
  access-list 101 permit icmp any any 12
  ! permit "echo reply" messages
  access-list 101 permit icmp any any 0
  ! deny all other icmp
  access-list 101 deny icmp any any
  You might consider tightening up the destination unreachables too. They would look something like this for each type and code you want to allow:
  ! permit "dest unreach - port unreach" messages
  acccess-list 101 permit icmp any any 3 3
  see here:
  http://www.iana.org/assignments/icmp-parameters

• Internet edge router & IPS

  I am looking for some recommended settings or pointers for what to enable on an Internet facing edge router (ISR). Currently the defaults have pretty much been accepted with regards to the IPS setup. The router was configured initially from the CLI and I am happy with this part, but all the IPS stuff was configured from SDM. At the moment it just reports for the 338 default enabled Signatures, however it can be configured to react (drop or reset connections). I am just looking for some recommendations or pointers as to what should be enabled.
  I have noticed a performance hit with IPS enabled but nothing too bad, the main bottleneck is the ISP link.
  Thanks
  Andy

  Andy,
  Generally Cisco only deny packets for the signatures which correspond to the attack sig section,also many of those would be only sending a log message rather then denying the packet.This is done to keep only the relevant signatures enabled and dropping traffic and to avoid false positives.For most of the networks,these settings would be good enough.Intergrating an ips solution into ur n/w is an ongoing process rather then one time implementation.U would need to keep an eye on the events,change the sig. accordingly for a typical cycle of 2 months.So,if you see an event which refers to an ongoing attack,enable the sig.At other times,keep it disabled as it would save a lot of cpu/memory cycles on ips ( and would save permormance bottlenack )

• WRT300N Router: Security settings on but no security light.

  I have a WRT300N v1.1 with the most recent firmware (v.1.51.2) and my security settings are mixed network mode, wide radio band, wide channel 9, standard channel 11, using WPA personal in tkip, with SPI firewall enabled, and SSID broadcasting off.
  My security light is not on even though my security settings are in effect.

  It is interesting how different tech support people give different answers. One guy tells me it's broken and another told me that it's not used. What was also weird was that even the tech support people don't know what buttons, lights, and features the WRT300N had. They didn't know it didn't have SecureEasySetup. Tech support told me that it is okay that the light is off. In fact, it's supposed to be part of SecureEasySetup (SES)which the WRT300N does not have. Basically, they put a light on the router that wouldn't be used. So, just check that your security is on in the browser based configuration page (which you can find by putting 192.168.1.1 in your address bar and pressing enter). If it says your security is active you are okay and the light being off is no issue. Although, I'm totally flabbergasted why they would put a light that wouldn't be used. If you notice, the WRT300N has a black button on top that has a padlock on it and the words reserved around it. There are two differing accounts for the use of this button. Tech support told me that you press it to back up your router settings (I'm too scared to try this) and I found on the forums that it's "reserved" for some future use. I think that when they upgrade the firmware, the button may be but to use for SecureEasySetup, but at the moment it's of no use. I hope that helped. This router has been a source of so much annoyance and hardship, but it's working fine now.

• Create password -router security

  Model BEFW11S4 wireless router, set up by my daughter a couple years ago, with no password. I've read that access passwords are wise for security, and to prevent your neighbors from using your connection. I have ZoneAlarm firewall and AVG antivirus, but apparently my router should also require a password for extra security?
  The router was set up on a Windows 98 computer, and replacement XP has been connected for a year w/no problems. I tried the web utility, but it didn't accept 191.168.1.1 password. The window to enter password wasn't the "XP" window, so maybe using a different computer than used for original setup is the problem?
  Also saw "firmware upgrades" mentioned, and don't know what this is about. Any advice regarding need for password, proper security settings, and how to do them would be greatly appreciated. Thanks for your time.

  for changing any settings on the router , follow these steps :
  1)connect the computer to the router
  2)open IE and go to http://192.168.1.1 . on the login screen...keep the username blank and the default password is "admin"....if it does not accept this , it means the router password was changed sometime....
  3)if u do not remember the password , reset the router for 30 seconds and do a power cycle...try "admin" in the password again...
  4)get to the router ui...go to the "wireless" tab and click on "wireless security" subtab....u can set up a security mode from here...
  5)for changing the router login password , go to the "administration" tab and change it..
  6)if u have a different kinda screen from what i am talking about....u will frind the wireless security settings on the set up page itself....and for changing the router password , click on the "password" tab and change it....

• HomeHub2 as Modem with Third Party Router, Securit...

  okay i've configured my Homehub to be set as a Router and conencted a Belkin G Plus Mimo router as the third party router, connection and everything is fine but theres on problem...
  security, there is no scurity protecting my wireless network which means everyone can access my network which is bad.
  when i try accessing the third party router (belkin router) i'm forwarded to the BT home hub control panel page...
  any help? i need protection on my wireless!
  Kind Regards, Bert

  Hi Bert,
  What you will need to do is manually change your Network Adaptor to an address in the 192.168.2.2-255 range. Set the gateway to 192.168.2.1 and try and access your third party router again. Then enable the DHCP Server on the LAN interface of your Belkin router.
  Don't forget that you have to be connecting through your Belkin router in order to use it properly like Computer - Belkin - Homehub, not Computer - Hub - Belkin otherwise it will just ignore the additional router (Belkin).
  You will also need to add a Static Route on the Belkin and set the Destination network to 192.168.1.0/24 and set the gateway to 192.168.1.254 in order to access the internet and Homehub. This will need to be set on the WAN interface.
  I hope this helps.
  Like this post? Give it a Star . If this post answers your question, please Mark it as the Accepted Solution.

• Wireless Router Security Setup

  Sorry in advance if this is a stupid question but I am fairly new to my mac. (love it by the way)
  We have DSL at home and recently bought a Belkin Wireless G router. I put in the cd that came with it and selected the Mac option for install. Now, after this it took only a few seconds and was done. All connected and up and running in nothing flat. My wife was able to connect via her PC laptop no problem.
  I want to secure this wireless connection and I can't quite figure out how. Oddly enough there is no Belkin icon for me to click on to get into any properties. When I type belkin into my spotlight search nothing comes up. I assume I should be setting up the security directly on my mac somehow but just not sure how.???
  Have tried reading and searching but still can't find anything. Right now I am assuming my question is just too simple so no one else has this problem but I just can't get my pea sized intellect to figure it out.
  Thanks All!

  Well, you do have Security on your Mac, but what you want is to address the router's Setup page
  Run Safari and type this into the url bar...
  http://192.168.2.1
  You should see a Menu there.
  Come to think of it, this is probably the best source on how to...
  http://www.portforward.com/english/routers/wireless/routerindex.htm
  I think this might be your Router.
  http://www.portforward.com/english/routers/wireless/Belkin/F5D7230-4/F5D7230-4in dex.htm
  Message was edited by: BDAqua

• Router security doesn't seem to work

  I am using ADF security in Jdeveloper 11.1.1.3. I have a startpage in which i am executing a query that needs a bind variable. This bind variable depends on user information, so I want the user to log in first, then get the information, and use the router to determine whether a bind variable should be set, and route through a filteractivity or not. This all works, except for the security part. I have secured the page as well as the router activity, but still the router code is executed before I get a login page. Even better: when my startpage is NOT secured I never get a login page at all, even though i secured my router.
  What's the use of securing my router if it is not working?

  Well, there are no bounded taskflows in my application so far, just an unbounded one. I tried creating a bounded taskflow, but the problem I got there is that I have to be able to navigate to any page in the unbounded taskflow from the bounded one, and I understood that the point in the unbounded taskflow you entered the bounded taskflow is also the point you end up when you exit it.
  >
  However, ADF Security provides the tooling for you to enforce security on other parts as well.
  >
  By this you mean the solution I suggested myself ? Have the router check for authentication itself and redirect to a login page?
  I can't enforce that someone always passes the router-filter combination when going to certain pages can I? I have a page with id rr_start in an unbounded taskflow so it is available on /rr_start, and when I use this url the router-filter combi is bypassed. Is there a solution for this?