Re: [SLUG] cisco router/wireless security

From: Chris Mathey (slug@mathey.org)
Date: Thu Jan 12 2006 - 00:33:00 EST


Darrin Jones wrote:
> OK, hopefully this might benefit/entertain others. Else I can take it
> off-list if need be.
>
> So, I'm working on my CCNA (From the books/net, no class. =( )and I just
> redid my network. The config I have is working and an nmap scan of the
> outside (cable modem) interface shows all ports filtered. However, I added a
> wireless router onto the 806 instead of running it separate and I'm guessing
> I've probably missed a big hole somewhere. Like presenting 2 interfaces to
> the world instead of one. Albeit one is non-routable. Yes, I realize NTP
> might be a problem. I tried to set no login on the vty's but it (I) messed
> up AAA somehow doing that.
>
> I have 128 bit WEP on the wireless. I don't broadcast the SSID and the ports
> are filtered there as well. I guess my question is do I need a policy on the
> inside cisco interface? Is my idea correct that the 806 can be a DMZ after I
> connect the other routers? Or am I getting way past myself here LOL.
>
> Right now it looks like this. I will be attaching a 2503, 2505 and 1924
> later to practice on. Also, I'm getting Prelude-IDS (Nagios, Nessus, Snort,
> Samhain) set up on the .2 linux box.
>
> Thanks,
>
> Darrin
>
>
> Internet (cable) --- (DHCP) cisco 806 (192.168.0.1) --- (.2,.3)
> |
> |
> (192.168.0.4)
> netgear wireless
> (192.168.1.1)
> |
> |
> (wireless hosts)
>
>
> Here is the config:
>
> Using 7260 out of 131072 bytes
> version 12.3
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname cerberus
> !
> boot-start-marker
> boot-end-marker
> !
> security authentication failure rate 2 log
> security passwords min-length 11
> logging console critical
> logging monitor informational
> enable secret 5 XXXXXXXXXXXXXXXXXXXXXXX
> !
> aaa new-model
> !
> !
> aaa authentication login local_auth local
> aaa session-id common
> ip subnet-zero
> no ip source-route
> no ip gratuitous-arps
> ip dhcp excluded-address 192.168.0.1 192.168.0.4
> !
> ip dhcp pool CLIENT
> network 192.168.0.0 255.255.255.0
> default-router 192.168.0.1
> lease 0 2
> !
> !
> ip domain name XXXXXXXXXXXXXXXXXXX
> ip host elektra 192.168.0.2
> ip host lumi 192.168.0.3
> ip host wgt624 192.168.0.4
> no ip bootp server
> ip cef
> ip inspect audit-trail
> ip inspect udp idle-time 1800
> ip inspect dns-timeout 7
> ip inspect tcp idle-time 14400
> ip inspect name autosec_inspect cuseeme timeout 3600
> ip inspect name autosec_inspect ftp timeout 3600
> ip inspect name autosec_inspect http timeout 3600
> ip inspect name autosec_inspect rcmd timeout 3600
> ip inspect name autosec_inspect realaudio timeout 3600
> ip inspect name autosec_inspect smtp timeout 3600
> ip inspect name autosec_inspect tftp timeout 30
> ip inspect name autosec_inspect udp timeout 15
> ip inspect name autosec_inspect tcp timeout 3600
> ip ips po max-events 100
> ip ssh time-out 60
> ip ssh authentication-retries 2
> login block-for 5 attempts 5 within 5
> no ftp-server write-enable
> !
> !
> username XXX secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
> !
> !
> !
> !
> !
> interface Ethernet0
> description LAN Interface
> ip address 192.168.0.1 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat inside
> ip virtual-reassembly
> no cdp enable
> hold-queue 32 in
> !
> interface Ethernet1
> description WAN Interface
> ip address dhcp client-id Ethernet1
> ip access-group autosec_complete_bogon in
> ip verify unicast source reachable-via rx allow-default 100
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect autosec_inspect out
> ip virtual-reassembly
> no cdp enable
> !
> ip classless
> no ip http server
> no ip http secure-server
> ip dns server
> ip nat inside source list 102 interface Ethernet1 overload
> !
> !
> access-list 102 permit ip 192.168.0.0 0.0.0.255 any
> ip access-list extended autosec_complete_bogon
> permit icmp any any administratively-prohibited
> permit icmp any any echo
> permit icmp any any echo-reply
> permit icmp any any packet-too-big
> permit icmp any any time-exceeded
> permit icmp any any traceroute
> permit icmp any any unreachable
> permit udp any eq bootps any eq bootpc
> permit udp any eq bootps any eq bootps
> permit udp any eq domain any
> permit udp any any eq ntp
> deny ip 1.0.0.0 0.255.255.255 any
> deny ip 2.0.0.0 0.255.255.255 any
> deny ip 5.0.0.0 0.255.255.255 any
> deny ip 7.0.0.0 0.255.255.255 any
> deny ip 23.0.0.0 0.255.255.255 any
> deny ip 27.0.0.0 0.255.255.255 any
> deny ip 31.0.0.0 0.255.255.255 any
> deny ip 36.0.0.0 0.255.255.255 any
> deny ip 37.0.0.0 0.255.255.255 any
> deny ip 39.0.0.0 0.255.255.255 any
> deny ip 41.0.0.0 0.255.255.255 any
> deny ip 42.0.0.0 0.255.255.255 any
> deny ip 49.0.0.0 0.255.255.255 any
> deny ip 50.0.0.0 0.255.255.255 any
> deny ip 58.0.0.0 0.255.255.255 any
> deny ip 59.0.0.0 0.255.255.255 any
> deny ip 60.0.0.0 0.255.255.255 any
> deny ip 70.0.0.0 0.255.255.255 any
> deny ip 71.0.0.0 0.255.255.255 any
> deny ip 72.0.0.0 0.255.255.255 any
> deny ip 73.0.0.0 0.255.255.255 any
> deny ip 74.0.0.0 0.255.255.255 any
> deny ip 75.0.0.0 0.255.255.255 any
> deny ip 76.0.0.0 0.255.255.255 any
> deny ip 77.0.0.0 0.255.255.255 any
> deny ip 78.0.0.0 0.255.255.255 any
> deny ip 79.0.0.0 0.255.255.255 any
> deny ip 83.0.0.0 0.255.255.255 any
> deny ip 84.0.0.0 0.255.255.255 any
> deny ip 85.0.0.0 0.255.255.255 any
> deny ip 86.0.0.0 0.255.255.255 any
> deny ip 87.0.0.0 0.255.255.255 any
> deny ip 88.0.0.0 0.255.255.255 any
> deny ip 89.0.0.0 0.255.255.255 any
> deny ip 90.0.0.0 0.255.255.255 any
> deny ip 91.0.0.0 0.255.255.255 any
> deny ip 92.0.0.0 0.255.255.255 any
> deny ip 93.0.0.0 0.255.255.255 any
> deny ip 94.0.0.0 0.255.255.255 any
> deny ip 95.0.0.0 0.255.255.255 any
> deny ip 96.0.0.0 0.255.255.255 any
> deny ip 97.0.0.0 0.255.255.255 any
> deny ip 98.0.0.0 0.255.255.255 any
> deny ip 99.0.0.0 0.255.255.255 any
> deny ip 100.0.0.0 0.255.255.255 any
> deny ip 101.0.0.0 0.255.255.255 any
> deny ip 102.0.0.0 0.255.255.255 any
> deny ip 103.0.0.0 0.255.255.255 any
> deny ip 104.0.0.0 0.255.255.255 any
> deny ip 105.0.0.0 0.255.255.255 any
> deny ip 106.0.0.0 0.255.255.255 any
> deny ip 107.0.0.0 0.255.255.255 any
> deny ip 108.0.0.0 0.255.255.255 any
> deny ip 109.0.0.0 0.255.255.255 any
> deny ip 110.0.0.0 0.255.255.255 any
> deny ip 111.0.0.0 0.255.255.255 any
> deny ip 112.0.0.0 0.255.255.255 any
> deny ip 113.0.0.0 0.255.255.255 any
> deny ip 114.0.0.0 0.255.255.255 any
> deny ip 115.0.0.0 0.255.255.255 any
> deny ip 116.0.0.0 0.255.255.255 any
> deny ip 117.0.0.0 0.255.255.255 any
> deny ip 118.0.0.0 0.255.255.255 any
> deny ip 119.0.0.0 0.255.255.255 any
> deny ip 120.0.0.0 0.255.255.255 any
> deny ip 121.0.0.0 0.255.255.255 any
> deny ip 122.0.0.0 0.255.255.255 any
> deny ip 123.0.0.0 0.255.255.255 any
> deny ip 124.0.0.0 0.255.255.255 any
> deny ip 125.0.0.0 0.255.255.255 any
> deny ip 126.0.0.0 0.255.255.255 any
> deny ip 197.0.0.0 0.255.255.255 any
> deny ip 201.0.0.0 0.255.255.255 any
> deny ip 10.0.0.0 0.255.255.255 any
> deny ip 172.16.0.0 0.15.255.255 any
> deny ip 192.168.0.0 0.0.255.255 any
> deny ip 224.0.0.0 15.255.255.255 any
> deny ip 240.0.0.0 15.255.255.255 any
> deny ip 0.0.0.0 0.255.255.255 any
> deny ip 169.254.0.0 0.0.255.255 any
> deny ip 192.0.2.0 0.0.0.255 any
> deny ip 127.0.0.0 0.255.255.255 any
> deny ip any any log
> logging trap debugging
> logging facility local2
> no cdp run
> !
> control-plane
> !
> banner motd ^C
> Authorized Access Only
> This system is the property of XXXXXXXXXXXXXXXXX.
> UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
> You must have explicit permission to access this
> device. All activities performed on this device
> are logged.
> ^C
> !
> line con 0
> exec-timeout 5 0
> password 7 NNNNNNNNNNNNNNNNNN
> logging synchronous
> login authentication local_auth
> transport output ssh
> line vty 0 4
> password 7 NNNNNNNNNNNNNNNN
> logging synchronous
> login authentication local_auth
> transport preferred ssh
> transport input ssh
> !
> scheduler max-task-time 5000
> ntp clock-period 17168539
> ntp server 216.136.10.198
> ntp server 213.222.11.222
> end
>
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>
>

Cool networking is fun stuff or dare I say as fun as playing with Linux :o
You will do fine with the CCNA reading books alone. Albeit the CCNA is a
  thorough intro networking certification, if you can't pass it with
books alone you may want to reconsider your career direction :p

Your config looks pretty good. I would dump AAA "no aaa new model"
and just create an ACL to govern VTY access (assuming you will filter
RFC1918 sources inbound on your WAN interface). In your application
keep it simple.

access-list 51 remark NetworkMangement VTY
access-list 51 permit 192.168.x.x 0.0.0.255 (adjust to you how granular
you want)
then apply to:
line vty 0 4
  access-class 51 in
(do a "no login authentication local_auth" in case its still there)

If you aren't going to allow any internet sourced traffic into your
network (i.e DNS,HTTP,FTP, et al. ) than I recommend a default deny on
your inbound ACL "utosec_complete_bogon". and turn your 806 into your
main internet gateway.
Plug the 806 LAN into the one of the netgear switch ports. This will
bridge the ethernet and \wireless clients together into one LAN
(192.168.0.0) If you encrypt your wireless an filter by MAC it's
probably a good bet that your neighbors won't take the time to inject
packets into your network. ymmv

If you want to add more routers to practice on then you can interface
them into your LAN and build as many networks as you want from there
with routes towards your Inet gateway.

If you want to allow internal services available to the inet creating a
    "DMZ" would be a good approach. Also if you want to play with IDS
you can experiment with recieve only "taps"
(http://www.snort.org/docs/faq/1Q05/node31.html)

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:20:12 EDT