Ingress filtering is a method to ensure that incoming packets are really from the networks they claim to be from. As spoofing an IP address is more commonplace than ever, this method of filtering is absolutely crucial in this day and age. Hence, if a router is not secured to detect spoofed IP addresses, such attacks would be able to take place easily as the packets come from seemingly trusted networks.
In ingress filtering, inbound packets would be filtered if there are packets being sent from an outer network but displays the IP address of an internal computer. To be able to perform ingress filtering, the network needs knowledge on IP address that each of its connected network may send to next hence it is not always possible as a network with a single internet connection has no way to find out if an inbound packet is spoofed or not.
Egress filtering, on the other hand, is the practice of monitoring and potentially restricting the flow of information outbound from one network to another, hence ensuring that malicious or unauthorized data does not leave the internal network. This form of filtering is done by examining TCP/IP packets as they leave the internal network by a firewall or router. Those that do not meet the security policies are then denied "egress."
The next section will be about disabling services. As routers usually come with many services enabled by default, not all of them are used and they should be disabled for security purposes. Such services are :
Disable bootp Server
bootp is enabled by default, and if you are not using it, you should definitely disable it. You can use the no ip bootp server command in global configuration mode to disable bootp on your routers
Test(config)# no ip bootp server
Disable CDP
Cisco Discovery Protocol (CDP) is also enabled by default, and we highly recommend that you disable this service on the router globally. You can disable CDP globally by using the no cdp run command in global configuration mode, or you can disable CDP on a per-interface basis by using the no cdp enable command in interface configuration mode
Test(config)#no cdp run
Test(config-if)#no cdp enable
These are examples of services that should be disabled in the router, there are more, of course.
The next section, logging, will talk about logging methods such as console, buffered, terminal line, syslog and SNMP. There are 8 log security levels with 0 being the lowest and 7 the highest and 6 the default. The logging function is present in routers as it is essential for changes and configurations to be recorded with details such as time, log message name/severity level and also a text that shows where it was configured/changed from.
I think CDP service is the most important service to disable on a router. It announces the router information such as the IOS version, etc to any computer on the network segment. If the attacker gets hold of this information, they would be able to use the information to exploit the vulnerabilities of that IOS version.
ReplyDelete