Securing a network is as much a question of securing the devices on the network as of securing the network with some sort of perimeter security device, such as a firewall. Our previous tip covered securing hosts. This tip, excerpted from Managing IP Networks with Cisco Routers
, by Scott M. Ballew, discusses some of the things that you can do to secure routers.
Unlike providing good host security for a time-share system, securing a router is not so straightforward. What you can do is limited to what your vendor supplies; you can't add your own security software on top of it. Typically, access will be password protected, but passwords are only as secure as you make them. You can seldom replace this password system with something more secure. One thing you can do is restrict access to the router to as small a subset of your network as possible. Ideally, it should only be accessible from your staff's workstations and your management station. This is one place where a router's packet filtering capabilities may be appropriate. For example, if your staff workstations are all on 172.16.24.0/24, and the only machines on that network are your staff workstations, you can configure the Cisco IOS to restrict Telnet access to the router with these commands:
Access-list 1 permit 172.16.24.0 0.0.0.255 ! line vty 0 4 access-class 1 in
This configuration tells the router that all attempts to gain inbound access to virtual terminals (used for Telnet) 0 through 4 must come from a source address that passes access list 1. While this still suffers from the possibility of IP address spoofing, you have weeded out a large class of casual attackers. By the way, you should make sure that you apply the same access list to all of the virtual terminals on a router. You cannot predict which will be used by an inbound Telnet session. Similar controls can be used on other network equipment.
This was first published in June 2002