Cisco Switches/Router Layer 3 Security

styxmx

　　1. Enable secure Telnet access to a router user interface, and consider using Secure Shell (SSH) instead of Telnet.
　　2. Enable SNMP security, particularly adding SNMPv3 support.
　　3. Turn off all unnecessary services on the router platform ( AutoSecure ).
　　4. Turn on logging to provide an audit trail.
　　5. Enable routing protocol authentication.
　　6. Enable the CEF forwarding path to avoid using flow-based paths like fast switching.
　　7. Using RPF Checks
　　example:
　　R1(config)# ip cef
　　R1(config)# int s0/0
　　R1(config-if)# ip verify unicast source reachable-via rx allow-default
　　8. Using ACL to prevent TCP SYN Flood from outside
　　example:
　　ip access-list extended prevent-syn
　　permit tcp any 10.0.0.0 0.255.255.255 established
　　deny tcp any 1.0.0.0 0.255.255.255
　　permit (whatever)
　　!

　　interface s0/0  # Internet>　　ip access-group prevent-syn in

　　Notes: The above ACL works well when clients outside a network are not allowed to make TCP connections into the network. However, in cases where some inbound TCP connections are allowed, this ACL cannot be used. Another Cisco IOS feature, called TCP intercept, provides an>　　example:
　　ip access-list extended match-tcp-from-internet
　　permit tcp any 10.0.0.0 0.255.255.255
　　ip tcp intercept-list match-tcp-from-internet
　　ip tcp intercept mode watch
　　ip tcp intercept watch-timeout 20
　　9.Cisco IOS Firewall CBAC
　　example:
　　ip inspect name>

　　ip inspect name>
　　ip inspect name>　　!
　　ip access-list extended IOS_FW
　　deny ip any any
　　!

　　interface Serial0/0  #Internet>　　ip address 192.168.1.3 255.255.255.0
　　ip access-group IOS_FW in

　　ip inspect>　　!
　　10. Cisco IOS Zone-Based Firewall
　　example:

　　In this example, the network administrators have decided to apply the following policies to traffic from the LAN zone going through the WAN zone:
　　■ Only traffic from the LAN subnet is allowed.
　　■ HTTP traffic to corporate web-based intranet servers is allowed.
　　■ All other HTTP traffic is allowed but policed to 1 Mbps.
　　■ ICMP is blocked.
　　■ For all other traffic, the TCP and UDP timeouts must be lowered to 300 seconds.
　　Follow these steps to configure ZFW:
　　Step 1: Decide the zones you will need, and create them on the router.
　　Branch1(config)# zone security LAN
　　Branch1(config-sec-zone)# description LAN zone
　　!
　　Branch1(config)# zone security WAN
　　Branch1(config-sec-zone)# description WAN zone
　　Step 2: Decide how traffic should travel between the zones, and create zone-pairs on the router.
　　Branch1(config)# zone-pair security Internal source LAN destination WAN
　　Branch1(config)# zone-pair security External source WAN destination LAN

　　Step 3: Create>　　Branch1(config)# ip access-list extended LAN-Subnet
　　Branch1(config-ext-nacl)# permit ip 10.1.1.0 0.0.0.255 any
　　!
　　Branch1(config-ext-nacl)# ip access-list extended Web_Servers
　　Branch1(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 host 10.150.2.1
　　Branch1(config-ext-nacl)# permit tcp 10.1.1.0 0.0.0.255 host 10.150.2.2
　　!
　　Branch1(config-ext-nacl)# class-map type inspect match-all Corp_Servers
　　Branch1(config-cmap)# match access-group name Web_Servers
　　Branch1(config-cmap)# match protocol http
　　!
　　Branch1(config-cmap)# class-map type inspect Other_HTTP
　　Branch1(config-cmap)# match protocol http
　　Branch1(config-cmap)# match access-group name LAN_Subnet
　　!
　　Branch1(config-cmap)# class-map type inspect ICMP
　　Branch1(config-cmap)# match protocol icmp
　　!
　　Branch1(config-cmap)# class-map type inspect Other_Traffic
　　Branch1(config-cmap)# match access-group name LAN_Subnet
　　Branch1(config)# parameter-map type inspect Timeouts
　　Branch1(config-profile)# tcp>
　　Branch1(config-profile)# udp>

　　Step 4: Assign policies to the traffic by creating policy maps and associating>　　Branch1(config-profile)# policy-map type inspect LAN2WAN
　　Branch1(config-pmap)# class type inspect Corp_Servers
　　Branch1(config-pmap-c)# inspect
　　!
　　Branch1(config-pmap-c)# class type inspect Other_HTTP
　　Branch1(config-pmap-c)# inspect
　　Branch1(config-pmap-c)# police rate 1000000 burst 8000
　　!
　　Branch1(config-pmap-c)# class type inspect ICMP
　　Branch1(config-pmap-c)# drop
　　!
　　Branch1(config-pmap-c)# class type inspect Other_Traffic
　　Branch1(config-pmap-c)# inspect Timeouts
　　Step 5: Assign the policy maps to the appropriate zone-pair.
　　Branch1(config)# zone-pair security Internal source LAN destination WAN
　　Branch1(config-sec-zone-pair)# service-policy type inspect LAN2WAN
　　Step 6: Assign interfaces to zones. An interface may be assigned to only one security zone.
　　Branch1(config)# interface fa 0/0
　　Branch1(config-if)# zone-member security LAN
　　!
　　Branch1(config-if)# interface s0/0/0
　　Branch1(config-if)# zone-member security WAN