- Implement RFC1918 (Private Address Space), RFC2827 (Network Ingress Filtering), and bogon Filtering (filtering unassigned address spaces).
- Drop fragmented traffic
- Implement Authentication, Authorization, and Accounting (AAA).
- Implement management console access restrictions using AAA and ACLs.
- Harden the routing protocols
- Implement ACLs to restict SNMP access.
- Implement flood management through the use of traffic shaping, Quality of Service (QoS), and Weighted Fair Queuing (WFQ), on routers that support it.
- Remove all unnecessary services.
- Implement logging with syslog, SNMP traps and accounting.
- Drop directed broadcasts.
- Implement anti-spoofing. Don't allow your internal IP range to be the source address of packets arriving on the external interface.
- Prevent source routing.
- Prevent ICMP redirects.
- For your Cisco routers, implement Cisco Express Forwarding(CEF) to handle SYN floods.
- Ensure that you are running the latest stable software version to prevent being susceptible to threats that have been patched or updated.
- If your router has the horsepower to support it, implement the first line of traffic to allow only traffic that should be traversing the network edge through the use of ACLs, or in the case of Cisco routers running the IOS firewall feature set and using Context Based Access Control (CBAC).
Thursday, June 25, 2015
Steps to Harden your External Router
Subscribe to:
Posts (Atom)