Securing routers

Securing a network is as much a question of securing the devices on the network as of securing the network with some sort of perimeter security device, such as a firewall. Our previous tip covered securing hosts. This tip, excerpted from Managing IP Networks with Cisco Routers

    Requires Free Membership to View

, by Scott M. Ballew, discusses some of the things that you can do to secure routers.

Unlike providing good host security for a time-share system, securing a router is not so straightforward. What you can do is limited to what your vendor supplies; you can't add your own security software on top of it. Typically, access will be password protected, but passwords are only as secure as you make them. You can seldom replace this password system with something more secure. One thing you can do is restrict access to the router to as small a subset of your network as possible. Ideally, it should only be accessible from your staff's workstations and your management station. This is one place where a router's packet filtering capabilities may be appropriate. For example, if your staff workstations are all on, and the only machines on that network are your staff workstations, you can configure the Cisco IOS to restrict Telnet access to the router with these commands:

Access-list 1 permit
line vty 0 4
  access-class 1 in

This configuration tells the router that all attempts to gain inbound access to virtual terminals (used for Telnet) 0 through 4 must come from a source address that passes access list 1. While this still suffers from the possibility of IP address spoofing, you have weeded out a large class of casual attackers. By the way, you should make sure that you apply the same access list to all of the virtual terminals on a router. You cannot predict which will be used by an inbound Telnet session. Similar controls can be used on other network equipment.

This was first published in June 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.